Best answer by Rakanisheu RetiredView original
notepad popup on desktop
A friends computer just started to get a notepad text file, ubxkpwpz.scr, popping up on the desktop on startup. It's linked to WebRoot, because if it doesn't run, webroot won't run. The full path for this is C:programfilesHWXOcFcMUBXkpwPZ.scr. Any one know why this started?
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
As far as I understand, the file types .scr are screensavers. And if a file with .scr starts in a notepad, http://www.dougknox.com/xp/fileassoc/xp_scr_fix.zip could be tried.(caution: use only after other members and Webroot support members confirmed this)
As for WSA doesn't start if that notepad file doesn't run, my guess would be the file is supposed to be a screens saver for WSA. But then again I didn't find any screensaver for WSA, ever!
Everything in that folder will automatically start when logging into your computer. If it somehow got into that folder removing it will stop it from automatically starting.
I may be wrong, but that does not appear to be normal at all to me. Webroot does not include screen savers, and anything that Webroot does include would be in the Webroot program folder, not the path "C:programfilesHWXOcFcMUBXkpwPZ.scr". I would strongly suggest that you Submit a Trouble Ticket if this is tied to Webroot in any way. That may be a new unidentified malware of some sort that needs attention.
I remember (now) that Webroot would do this, and it had completely slipped my mind.
Malwarebytes Anti-Malware (Trial) 22.214.171.1240 www.malwarebytes.org
Database version: v2013.04.25.08
Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 JEWEL :: JEWEL-HP [administrator]
4/25/2013 11:14:45 PM mbam-log-2013-04-25 (23-14-45).txt
Scan type: Full scan (C:|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 321310 Time elapsed: 47 minute(s), 8 second(s)
Memory Processes Detected: 0 (No malicious items detected)
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 0 (No malicious items detected)
Registry Data Items Detected: 2 HKCRscrfileshellopencommand| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: ("%1" /S) -> Quarantined and repaired successfully. HKCR
egfileshellopencommand| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.
Folders Detected: 0 (No malicious items detected)
Files Detected: 0 (No malicious items detected)
I tend to think that WSA could remove the infection (*.scr file) during reboot and put it in to quarantine.
1. Download Webroot's log-gathering utility from the following link:
2. Save the file to your Desktop (or the preferred Download folder of your web browser).
3. Once it has finished downloading, double-click the wsalogs.exe file on your Desktop to run it.
4. In the box labeled "Email:", enter firstname.lastname@example.org
5. Click the "Go!" button to begin the log gathering process.
Once its finished reply to this thread so I know you have run the tool.
Sorry to ask you to get the logs I just wanted to be sure.
WRSVC REG_SZ "C:Program FilesHWXOcFcMUBXkpwPZ.scr" -ul
Directory of C:Program FilesHWXOcFcM
12/27/2012 07:52 PM <DIR> .
12/27/2012 07:52 PM <DIR> ..
03/29/2013 02:09 PM 729,528 UBXkpwPZ.scr
File size, service name and time stamp are the correct.
Toasty says that it's "an new HP with preinstalled software" and according to Rakanisheu "Webroot was installed a long time ago".
If there are indeed HDD errors then this machine might not be as "New" as toasty indicated. Obviously "New" can mean a lot of things. If you bought this machine from a shop with this virus onboard then I suggest you bring it back to the shop you bought it from.
I'm curious how you can have WSA as preinstalled. Do they give you the keycode that was used to preinstall the software with to create a My Webroot account with or did they already set that up as well?
Still interested to hear how "WSA preinstalled" works.
Mon 2012-04-23 16:28:51.0426 Begin Installation
Mon 2012-04-23 16:28:51.0925 Installation successfully completed (WSARETAIL.EXE/2713)
Mon 2012-04-23 16:28:52.0096 >>> Service started [v126.96.36.199]
Mon 2012-04-23 16:28:52.0486 User process connected successfully from PID 2672, Session 1
Loads and loads of these:
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
Application popup: UNINSTALL.EXE - Corrupt File : The file or directory C:UsersJEWELAppDataLocalTemp oolbar_log.txt is corrupt and unreadable. Please run the Chkdsk utility.
The driver detected a controller error on DeviceHarddisk2DR2.