Run a DLL as an app windows pop-up message, possible malware

Hello,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:31:19 PM, on 3/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\system32\Rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)

O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O16 - DPF: {11010101-1001-1111-1000-110263637096} - ms-its:mhtml:file://c:\nosuch.mht!http://dev.eurodnsservices.com/fwni/kill.chm::/d_Main.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: MrobeService - OLYMPUS IMAGING CORP. - C:\WINDOWS\system32\MRobeService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



--

End of file - 4562 bytes

Hello.

Word Wrap is on in Notepad, and it makes the log(s) hard to read, so please switch it off.
The Word Wrap function is under the Format menu in Notepad.



I want to see what's installed because I see there has been traces of Newdotnet.

• Open HijackThis
  
• Click "Open the Misc Tools section"
  
• Click "Open Uninstall Manager"
  
• Click "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

1001 Celebrities Catherine Zeta-Jones
ABBYY FineReader 5.0 Sprint
Ad-Aware
Advantage Biology and Chemistry
Advantage US History and Government
Advantage Writing and Vocabulary
America Online (Choose which version to remove)
AVG Free 8.0
Britannica Ready Reference
Broadcom Advanced Control Suite
Business Legal Forms
CCleaner (remove only)
Check Designer
Cisco Networking Academy curriculum 4.0.0.0
Classic PhoneTools
College Entrance Test Prep for SAT/PSAT
Conexant HSF V92 56K Data Fax PCI Modem
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
DataBase
Dell Digital Jukebox Driver
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Digicam Print (V2.0)
Digital Line Detect
DirectX Media Runtime 5.1
DVD Decrypter (Remove Only)
Easy CD Creator 5 Basic
High School Advantage 2002 Math
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Label Maker
Learn2 Player (Uninstall Only)
Lexmark X74-X75
m:trip
Mail List
Malwarebytes' Anti-Malware
Mavis Beacon Teaches Typing 12 Standard
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Visual Basic Professional Step by Step
Microsoft Visual C++ 2005 Redistributable
Modem Helper
Mozilla Firefox (3.0.7)
MyCheckBook
Nero Suite
Newsflash
Newsletters
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Paint Shop Pro 7
Photo Editor
Power BibleCD 4.4
PowerDVD
ProVenture Greeting Cards
Quicken 2002 New User Edition
RealPlayer Basic
Rebecca Romijn-Stamos SSI
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
SonicStage 3.0
Sound Blaster Audigy
Stationery
SureThing CD Labeler 4 SE
Type Stylist
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Viewpoint Media Player
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Service Pack 3
WordPerfect Office 2002
WordPerfect Office 2002

Hello.
Thank you for the log.

I see you have Viewpoint Manager, this is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". See here and here for more info.

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint Media Player
  

Then please find and delete this folder in bold (if present):
C:\Program Files\Viewpoint

Please download the LSPfix from here: LSPFix
Unzip it to the Desktop (Important!!) and run it. Check the box that says "I know what I'm doing", and then select each instance of "newdotnet6_38.dll" in the left-hand panel and click >> button to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

Reboot normally.
After reboot,

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)
  O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
  O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
  O16 - DPF: {11010101-1001-1111-1000-110263637096} - ms-its:mhtml:file://c:\nosuch.mht!http://dev.eurodnsservices.com/fwni/kill.chm::/d_Main.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please delete this folder in bold if it's present:
C:\Program Files\NewDotNet

Since MBAM is already on the system, we'lll use that.

• Launch Malware Bytes Anti-malware.
  
• Open the "Update" tab and check for updates. If there is any, allow the updates to be downloaded.
  
• Once the program has finished, go back to the "Scanner" tab and select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

While Malwarebytes was scanning AVG picked up:

Threat Name: Trojan horse Downloader.Stubby.D

I didn't take any action yet on that, waiting for what you suggest.

Malwarebytes scan came back clean.

Where did AVG find this?
Tell it to quarantine it. I want to have a look around now to make sure there isn't anything lurking still.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

Location of the threat was in : C/Documents and Settings\Local Settings\Temp\Satmat.exe

-AVG could not quarantine it, access denied.


DDS (Ver_09-03-16.01) - NTFSx86
Run by scott at 21:38:03.46 on Tue 03/17/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.410 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\scott\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = hxxp://localhost;
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [NWEReboot]
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\hqtmfc8m.default\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-6 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-6 27656]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-6 298264]

=============== Created Last 30 ================

2009-03-17 16:30 --d----- c:\program files\Trend Micro
2009-03-17 15:31 --d----- c:\docume~1\scott\applic~1\Malwarebytes
2009-03-17 15:31 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-17 15:31 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-17 15:31 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-17 15:31 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-03-17 15:40 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-17 15:40 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2003-01-21 17:12 207,759 ac------ c:\program files\INSTALL.LOG

============= FINISH: 21:38:36.92 ===============

Not a problem.
DDS log looks okay to me.

We'll use OTMoveIt as it has the power to just clean temp folders all in one go, since that file is located in temp anyway, that will die with the rest of temp files. OTMoveIt will want to reboot, on reboot, let me know if that "run dll as an app" error returns, I think we fixed that though.


Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\Documents and Settings\scott\Desktop\dds.scr
  C:\Documents and Settings\scott\Local Settings\Temp\Satmat.exe
  
  :commands
  [emptytemp]
  [reboot]
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

**The Run DLL as an Application is still there






========== FILES ==========
C:\Documents and Settings\scott\Desktop\dds.scr moved successfully.
File/Folder C:\Documents and Settings\scott\Local Settings\Temp\Satmat.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\scott\LOCALS~1\Temp\etilqs_726swJsUYkGON49gtxft scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03172009_214855

Files moved on Reboot...
File C:\DOCUME~1\scott\LOCALS~1\Temp\etilqs_726swJsUYkGON49gtxft not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be moved on reboot.
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\scott\Local Settings\Application Data\Mozilla\Firefox\Profiles\hqtmfc8m.default\XUL.mfl moved successfully.

Another Question:

AVG found this threat in another users (not scott) Temp directory, does this matter, as I see this last part looks like it emptied scott's temp

So that satmat maybe on another profile?

I've been reading about this error, there are a number of different forums looking at this, a lot of them seem to be solved by updating a driver, x10net.dll is the USB receiver driver for ATI.

Does this ring any bells with you?

It's getting late here, so answer my question above and I'll review it in the morning and see what we can do.

-Satmat is on another user's profile correct.

I'll take a look at the driver. I can definitely confirm that something nasty is still on this machine as my Device Manager is not what it should be, (no controls up top etc..) Everytime i click on a device in device manager i get the controls back, and if i hit "scan for hardware changes" I get the dll error message again. Thanks for your help so far, it's been amazing.

Hello.
The "scan for hardware changes" isn't caused by malware, it's the device manager not picking up a piece of hardware correctly.

We'll fix this hardware issue soon, I want to kick the malware off this machine first. No point fixing your profile only to get re-infected again.

Switch to the user that shows that satmat and post a DDS log from that profile.
Instructions for DDS are in this post:
http://www.geekpolice.net/virus-spyware-malware-removal-f11/run-a-dll-as-an-app-windows-pop-up-message-possible-malware-t7560.htm#46538

Please open a new topic for that profile.

The user in question no longer exists on this machine, so if we need to clear everything and delete his profile that is fine, just want to know how to proceed.

Hello.
Okay, we can just delete that users entire profile.
Does your profile have administrator rights?

Press Start > Control Panel > User accounts

In the user accounts section, there should be your account, the profile were deleting, and a guest (guest account is default in XP incase your wondering)

Click on the profile we are deleting and it will open a list of options (set passwords, etc)
Does that list have the power to delete the profile?

That user account appears to have already been deleted off the system, but I know that C:\Documents and settings\seth still exists. This appears to be part of the problem as i know that one of the issues is somewhere in this Temp folder.

Hello.
Just delete the seth folder if the seth account isn't there anymore.
Delete to the recycle bin for now, just in case.

Reboot once it's been deleted and see if that error remains.

Cannot delete the seth folder Access denied, I'm guessing there's some locked files in there

Hello.
Okay, lets try this.
Press Start > Run.
In the Run box, type in: control userpasswords2
Note the space between the l and u, and hit enter.

What user accounts do you see?

I see:

Administrator
Hector
scott
Seth

Hello.
There is a Hector account too??

Does Hector use this machine too or another dead user account no longer used?

The hector account is used.

Okay.

In the userpasswords2 options, highlight Seth and hit remove. Let me know how it goes.

Ok I deleted "Seth" from that, no problems.

See if the C:\Documents and settings\Seth folder is still there.

Unfortunately yes it is still there.

Can you delete it now?

No I can not delete it.

You'll need to logon to the administrator account then.
Press Start > Log off > log off

Now in the user menu, you might only see your account and the other, but not administrator.
Hit alt+ctrl+del twice to access an advanced logon option.
In the username part, type in "administrator" without the quote and try to logon.
If it won't let you because of a password, try admin or administrator.

If you can get on, go to Start > Control Panel > User account.
Choose Seth if it's there and see if there's an option to delete it.

Tried all variations, can't login under administrator.

Hmm.
Who set up this machine? did you parents set the administrator password?

This machine was hector's brothers machine. The provided passwords from him to access the accounts for admin, and seth did not work, So I don't think there's anything we can do there. Do we have other options? Can I use a utility to just move/delete the Seth folder?

The control userpasswords2 does have an option to change the administrator password, go back into the control userpasswords2, highlight administrator and underneath the user accounts list should be a change password option.

Successfully changed hte password and tried to login as administrator again. Get message unable to log you in because of an account restriction.

Hmm.
I'll give this one more shot then ask another forum tech to drop by.
In control usepasswords2, click the Advanced tab.
Under the Advanced user management, click Advanced.

This opens the advanced user control. Double click on "Users", then right click Seth if it's there and delete it.

After clicking the "Advanced" tab under advanced user management i get a message in the right hand column stating that this snapin can not be used with windows XP home.

Okay, hang tight and we'll see what my colleagues think.

For what it's worth, I am able to login to the machine under the administrator account in safe mode, tried deleting the "seth" folder and it still says access denied.

Oh, you got in.
In the control panel, go into the user accounts again.
Is Seth there?

The user "Seth" is no in the user accounts. Just FYI, I also tried deleting the seth folder in documents and settings and still got the access denied.

Okay.
You can empty the temp folder anyway.

1. Open My Computer.
   
2. Go to Tools > Folder Options.
   
3. Select the View tab.
   
4. Scroll down to Hidden files and folders.
   
5. Select Show hidden files and folders.
   
6. Uncheck (untick) Hide extensions of known file types.
   
7. Uncheck (untick) Hide protected operating system files (Recommended).
   
8. Click Yes when prompted.
   
9. Click OK.
   
10. Close My Computer.

Now locate C:\Documents and settings\Seth\Local Settings\Temp
Delete EVERYTHING inside the temp folder, but don't delete the Temp folder.

I keep getting access denied.

Even from the administrator account?
Anyway, I wouldn't say your in trouble, the file is only a temp file.

What problems remain?

The run a DLL as an application message pops up pretty consistently. And my device manager is completely broken. I tried pluggin in a USB mouse and thumb drive and neither one was recognized so something is still up.

Lets take a look at the event viewer.
Press Start > Run.
Type in eventvwr and hit enter.

This opens the event viewer. Double click on system.
Press the "Date" header to sort them into the most recent.

Double click the most recent and it has a big description box explaining the problem.
Highlight what's inside the box, copy and paste it back here.

The WMI Performance Adapter service entered the stopped state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hmm.
Have a look through a few of them and see if any of the descriptions mention a rundll32 error.

I don't see anything relating to the dll problem

Okay, hold tight and we'll see if my colleagues have any ideas.

Any news back from your colleagues?