Solved

notepad popup on desktop


A friends computer just started to get a notepad text file, ubxkpwpz.scr, popping up on the desktop on startup. It's linked to WebRoot, because if it doesn't run, webroot won't run. The full path for this is C:programfilesHWXOcFcMUBXkpwPZ.scr. Any one know why this started?
icon

Best answer by Rakanisheu Retired 26 April 2013, 15:10

View original

24 replies

Userlevel 7
Hello toasty and welcome to the webroot community.

As far as I understand, the file types .scr are screensavers. And if a file with .scr starts in a notepad, http://www.dougknox.com/xp/fileassoc/xp_scr_fix.zip could be tried.(caution: use only after other members and Webroot support members confirmed this)

As for WSA doesn't start if that notepad file doesn't run, my guess would be the file is supposed to be a screens saver for WSA. But then again I didn't find any screensaver for WSA, ever!
Userlevel 5
Can you check in your "Start Menu" (assuming you're not using Windows 😎 under the folder called "Startup" to see if this file is listed there. If it is you can safely remove it from that location.
 
Everything in that folder will automatically start when logging into your computer. If it somehow got into that folder removing it will stop it from automatically starting.
Userlevel 7
Hello toasty and welcome to the Webroot Community!
 
I may be wrong, but that does not appear to be normal at all to me.  Webroot does not include screen savers, and anything that Webroot does include would be in the Webroot program folder, not the path "C:programfilesHWXOcFcMUBXkpwPZ.scr".  I would strongly suggest that you Submit a Trouble Ticket if this is tied to Webroot in any way.  That may be a new unidentified malware of some sort that needs attention.
Userlevel 7
David is fully right. I would be very carefull ... something smells here. Opening a support case is the best, fastest and safest way to get it resolved. BTW, how did you come to a conclusion that this file is linked to WSA?
Userlevel 7
WSA will install to a random path and with a random .exe name if it detects a pre-existing infection that tries to block it from installing. However it wont have a .scr extension. What you seeing doesnt sound like normal behaviour. If you submit a ticket I can collect logs and check it out for you.
Userlevel 7
@ wrote:
WSA will install to a random path and with a random .exe name if it detects a pre-existing infection that tries to block it from installing. However it wont have a .scr extension. What you seeing doesnt sound like normal behaviour. If you submit a ticket I can collect logs and check it out for you.
And there is my learning for today!  I didn't know Webroot would install that way.  Thank you!
Userlevel 7
@ wrote:
WSA will install to a random path and with a random .exe name if it detects a pre-existing infection that tries to block it from installing. However it wont have a .scr extension. What you seeing doesnt sound like normal behaviour. If you submit a ticket I can collect logs and check it out for you.
This program does so many neat things that it is easy to forget some of what it can do.
 
I remember (now) that Webroot would do this, and it had completely slipped my mind. 
Thanks for all the replies. Last night I installed Malwarebytes on the computer and let it run. Malwarebytes found 2 broken.opencommand registry entries for notepad.exe. Malwarebytes quarrentined and repaired both entries. I checked to see if the UBXkpwPZ.scr file was still there and it was. However, instead of having a notepad icon, it has the round, green Webroot icon. To me, this verifies that this is indeed a Webroot file. I rebooted the computer, webroot started, and no notepad popup. perfect! I also installed and ran Spybot S&D. Everything looks good.
Userlevel 7
Toasty, can you look in to Quarantine for an entry which resembles the *.scr file?
The quarrentine folder had 2 data files, nothing readable. Here's a copy of the Malwarebytes log.
 
Malwarebytes Anti-Malware (Trial) 1.75.0.1300 www.malwarebytes.org
Database version: v2013.04.25.08
Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 JEWEL :: JEWEL-HP [administrator]
Protection: Enabled
4/25/2013 11:14:45 PM mbam-log-2013-04-25 (23-14-45).txt
Scan type: Full scan (C:|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 321310 Time elapsed: 47 minute(s), 8 second(s)
Memory Processes Detected: 0 (No malicious items detected)
Memory Modules Detected: 0 (No malicious items detected)
Registry Keys Detected: 0 (No malicious items detected)
Registry Values Detected: 0 (No malicious items detected)
Registry Data Items Detected: 2 HKCRscrfileshellopencommand| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: ("%1" /S) -> Quarantined and repaired successfully. HKCR
egfileshellopencommand| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.
Folders Detected: 0 (No malicious items detected)
Files Detected: 0 (No malicious items detected)
(end)
Userlevel 7
Thanks toasty. My bad but I meant WSA quarantine folder. Sorry to bother you.
 
I tend to think that WSA could remove the infection (*.scr file) during reboot and put it in to quarantine.
Userlevel 7
Hmm those MBAM logs indicate that the shell entry for Notepad was broken. Can sometimes happen and isnt a indication of malware. I am still interested in that .scr file however. If you wouldnt mind I would like you to collect logs, the process is below.
 
1. Download Webroot's log-gathering utility from the following link:

<a href="http://download.webroot.com/wsalogs.exe">http://download.webroot.com/wsalogs.exe</a>

2. Save the file to your Desktop (or the preferred Download folder of your web browser).  

3. Once it has finished downloading, double-click the wsalogs.exe file on your Desktop to run it.

4. In the box labeled "Email:", enter rtobin@webroot.com 

5. Click the "Go!" button to begin the log gathering process.
 
Once its finished reply to this thread so I know you have run the tool.
 
Thanks,
Roy
Not a problem.
 

OK, sent the logs. I'm jumping between computers. I don't think I'm going to spend much more time doing this.
Userlevel 7
Confirmed its Webroot, thanks for the info. Webroot must have found something in its initial scan and radomised its install name and path.
 
Sorry to ask you to get the logs I just wanted to be sure.
 
    WRSVC    REG_SZ    "C:Program FilesHWXOcFcMUBXkpwPZ.scr" -ul
 
 Directory of C:Program FilesHWXOcFcM

12/27/2012  07:52 PM    <DIR>          .
12/27/2012  07:52 PM    <DIR>          ..
03/29/2013  02:09 PM           729,528 UBXkpwPZ.scr
 
File size, service name and time stamp are the correct.
Userlevel 7
Thanks Roy for the feedback. Does it mean that this was the case of a random installation due to detection a pre-existing infection?
OK guys, that's it for me. A new day awaits!
Userlevel 7
So Webroot also assigned itself the .scr extension?
Userlevel 7
The logs indicate that Webroot was installed a long time ago. I can see a large number of hdd errors which may explain the install paths. Its hard to say exactly why it went to that path but I dont see any of the usual culprits that cause WSA to install in random paths (ZeroAccess etc).  Perhaps Webroot was previosuly installed and was corrupt and the user selected not to import the settings. However we solved the mystery and the PC is clean of infections 😃
Just for the record, this computer is an new HP with preinstalled software. The only user installed software was what I installed ,Malwarebytes, Spybot, last night, Malwarebytes fixed the problem. WSA was a preinstalled program.
Userlevel 5
Somehow that info doesn't match up.
 
Toasty says that it's "an new HP with preinstalled software" and according to Rakanisheu "Webroot was installed a long time ago".
 
If there are indeed HDD errors then this machine might not be as "New" as toasty indicated. Obviously "New" can mean a lot of things. If you bought this machine from a shop with this virus onboard then I suggest you bring it back to the shop you bought it from.
 
I'm curious how you can have WSA as preinstalled. Do they give you the keycode that was used to preinstall the software with to create a My Webroot account with or did they already set that up as well?
Userlevel 7
@ wrote:
Somehow that info doesn't match up.
 
Toasty says that it's "an new HP with preinstalled software" and according to Rakanisheu "Webroot was installed a long time ago".
 
If there are indeed HDD errors then this machine might not be as "New" as toasty indicated. Obviously "New" can mean a lot of things. If you bought this machine from a shop with this virus onboard then I suggest you bring it back to the shop you bought it from.
 
I'm curious how you can have WSA as preinstalled. Do they give you the keycode that was used to preinstall the software with to create a My Webroot account with or did they already set that up as well?
Being a new purchase may mean that it was a refurbished machine.. that might explain the inconsistancies.
Userlevel 5
Yeah, that could be a reason.
 
Still interested to hear how "WSA preinstalled" works.
Userlevel 7
I can only go from what I see in the logs. The initial logs are dates Monday 23rd of April 2012 and its quite an old build of WSA 8.0.0.7. I can see a number of HDD and controller errors in the Windows event logs. Since the time stamps go all the way back to then I dont think its an incorrectly set time either.
 
Mon 2012-04-23 16:28:51.0426    Begin Installation
Mon 2012-04-23 16:28:51.0925    Installation successfully completed (WSARETAIL.EXE/2713)
Mon 2012-04-23 16:28:52.0096    >>> Service started [v8.0.0.7]
Mon 2012-04-23 16:28:52.0486    User process connected successfully from PID 2672, Session 1
 
Loads and loads of these:
 
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
Application popup: UNINSTALL.EXE - Corrupt File : The file or directory C:UsersJEWELAppDataLocalTemp oolbar_log.txt is corrupt and unreadable. Please run the Chkdsk utility.
The driver detected a controller error on DeviceHarddisk2DR2.
 

Reply