i recently got a rootkit found in firefox.exe

here is my log

Logfile of HijackThis v1.99.1
Scan saved at 2:36:01 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\DAEMON Tools\daemon.exe
K:\abyss\filezilla\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files\1st SMTP Server\SMTPServer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
K:\abyss\Abyss Web Server\abyssws.exe
K:\abyss\Abyss Web Server\abyssws.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
K:\abyss\filezilla\FileZilla Server\FileZilla Server.exe
K:\abyss\Abyss Web Server\bin\mysqld-nt.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Xfire\Xfire.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - (no file)
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [FileZilla Server Interface] "K:\abyss\filezilla\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [smtpsrv] C:\Program Files\1st SMTP Server\SMTPServer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Send this URL to WTR - Web The Ripper 2 - {c23e2132-960c-44fc-8ebd-39b37aa4de78} - C:\Program Files\npSoftware\WTR - Web The Ripper 2\wtr.ie.html (file missing)
O9 - Extra 'Tools' menuitem: WTR - Web The Ripper 2 - {c23e2132-960c-44fc-8ebd-39b37aa4de78} - C:\Program Files\npSoftware\WTR - Web The Ripper 2\wtr.ie.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147974126234
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Abyss Web Server (AbyssWebServer) - Aprelium Technologies - K:\abyss\Abyss Web Server\abyssws.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - K:\abyss\filezilla\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - K:\abyss\Abyss.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

I do not see any issues evident in your Hijackthis LOG.



If you consider the potential rootkit to still be a problem,

Please download this file:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to its own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Copy and paste the log file here.

ok here is that scan


HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 6/29/2006 5:23 PM 0 bytes Access is denied.
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\b9c.F1A0ADA201C6AEA6.history\0000 0000.bak 7/23/2006 6:27 PM 4.73 MB Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Local Settings\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\Cac he\220A4116d01 7/23/2006 6:27 PM 27.57 KB Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Local Settings\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\Cac he\9FE68F8Dd01 7/22/2006 8:03 PM 30.78 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~9f509ae2393.htp 7/23/2006 6:24 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~9f509d65f33.htp 7/23/2006 6:24 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~9fb93d44e83.htp 7/23/2006 6:24 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~9fb93f9e533.htp 7/23/2006 6:24 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~9fbc4c611ed.htp 7/23/2006 6:24 PM 8.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\Temp\cch~9fbc5251eb5.htp 7/23/2006 6:24 PM 8.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\Temp\cch~9fc69376af1.htp 7/23/2006 6:25 PM 8.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\Temp\cch~9fc696aadb1.htp 7/23/2006 6:25 PM 8.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\Temp\cch~a670a7eefbd.htp 7/23/2006 6:27 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~a670aa539ad.htp 7/23/2006 6:27 PM 8.00 KB Visible in Windows API, but not in MFT or directory index.

Cleanout your Firefox cache:

Tools>Options>Cache>Clear Cache Now



Clean out TEMPORARY FILES:
To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

• Don't install any Toolbars, or other programs, should it ask you!
• Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.

Select the ‘Cleaner’ BUTTON option (top LEFT), if not already selected. Use the ’Windows’ TAB up front by default.

• Uncheck ‘Cookies’ option (advisable)
• Optionally, Uncheck ‘Recently Typed URLs’ option (potentially still useful)
• Click the ‘Analyse’ button.
• Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.

Run Rookitrevealer again. Tell us whether things have now improved.

ok did the cleaner and here is new rootkit scan


HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 6/29/2006 5:23 PM 0 bytes Access is denied.
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\d6c.C6E27C9A01C6AF5E.history\0000 0000.bak 7/24/2006 4:23 PM 4.57 MB Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\coo kies.txt.moztmp 7/24/2006 4:26 PM 1.72 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\nsevilgenius\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\par ent.lock 7/24/2006 4:24 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Local Settings\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\Cac he\24ED5C18d01 7/24/2006 4:24 PM 33.19 KB Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Local Settings\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\Cac he\46D27CCDd01 7/24/2006 4:24 PM 24.61 KB Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Local Settings\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\Cac he\861E2588d01 7/24/2006 4:24 PM 40.81 KB Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Local Settings\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\Cac he\8CD94688d01 7/24/2006 4:26 PM 52.14 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\nsevilgenius\Local Settings\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\Cac he\C1A7DD76d01 7/24/2006 4:24 PM 27.31 KB Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Local Settings\Application Data\Mozilla\Firefox\Profiles\vnb36p85.default\Cac he\E58D07F1d01 7/24/2006 4:24 PM 55.27 KB Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Local Settings\History\History.IE5\MSHist012006071720060 724 7/24/2006 4:07 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\nsevilgenius\Local Settings\History\History.IE5\MSHist012006071720060 724\index.dat 7/23/2006 5:20 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\nsevilgenius\Recent\100NIKON.lnk 7/24/2006 4:24 PM 308 bytes Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Recent\DSCN0437.lnk 7/24/2006 4:23 PM 431 bytes Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Recent\DSCN0440.lnk 7/24/2006 4:23 PM 431 bytes Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Recent\DSCN0441.lnk 7/24/2006 4:24 PM 431 bytes Hidden from Windows API.
C:\WINDOWS\Temp\cch~d2f1ade7d837.htp 7/24/2006 4:24 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d2f1ae2fa59f.htp 7/24/2006 4:24 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31440378fd1.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d314406d2f91.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316c7a542b1.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316c7fdd7d9.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316d3326615.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316d3905e59.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316dffce751.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316e1384a39.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316ed609b81.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316edba0d81.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316f949fa65.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d316f99a4f39.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31d18f9cc03.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31d19a63543.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31d25795557.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31d25e6c127.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31d322646e7.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31d3287ea03.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31d4325d2d5.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d31d4391adf9.htp 7/24/2006 4:25 PM 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~d32256a7dc07.htp 7/24/2006 4:25 PM 8.00 KB Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\Temp\cch~d32256ec9497.htp 7/24/2006 4:25 PM 8.00 KB Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\Temp\cch~d322cf1f87af.htp 7/24/2006 4:26 PM 8.00 KB Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\Temp\cch~d322cf5ca43f.htp 7/24/2006 4:26 PM 8.00 KB Visible in Windows API, directory index, but not in MFT.
C:\WINDOWS\Temp\cch~d32d3f7a226f.htp 7/24/2006 4:26 PM 8.00 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Temp\cch~d32d3fb3cc93.htp 7/24/2006 4:26 PM 8.00 KB Visible in directory index, but not Windows API or MFT.

All the rootkitvealer entries appear to be recreated at each reboot (except for the first item) - notice the date timestamp.



There is nothing in that log to clearly identify what may be creating those entries. Let's try the following tool:

Please print out this instructions as you should have all open windows and programs closed when running the scan.

Step 1.
==========
- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop

Step 2.
==========
- Double-click the blbeta.exe file on your Desktop
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure "Scan through Windows Explorer (Recommended)" is selected\checked
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan
- When the animated graphics, in the bottom right-hand corner, disappears, click "Next"
- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (ie: fsbl-20051017165931.log)
- Paste the contents of that log back here. VERY IMPORTANT: Do not proceed beyond this point on the initial first assessment – this is BETA software – need to proceed carefully

ok here is that scan. but one thing it didnt ask anywhere to select Scan through Windows Explorer.here is scrennshot



here is the scan

07/25/06 15:44:18 [Info]: BlackLight Engine 1.0.42 initialized
07/25/06 15:44:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/25/06 15:44:18 [Note]: 7019 4
07/25/06 15:44:18 [Note]: 7005 0
07/25/06 15:44:26 [Note]: 7006 0
07/25/06 15:44:26 [Note]: 7011 1968
07/25/06 15:44:27 [Note]: 7026 0
07/25/06 15:44:27 [Note]: 7026 0
07/25/06 15:44:37 [Note]: FSRAW library version 1.7.1019
07/25/06 15:53:50 [Note]: 7007 0

one thing it didnt ask anywhere to select Scan through Windows Explorer

Thanks for the feedback - the BETA tool has been evolving over time and has changed slighly, as you note.

C:\Documents and Settings\nsevilgenius\Recent\100NIKON.lnk 7/24/2006 4:24 PM 308 bytes Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Recent\DSCN0437.lnk 7/24/2006 4:23 PM 431 bytes Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Recent\DSCN0440.lnk 7/24/2006 4:23 PM 431 bytes Hidden from Windows API.
C:\Documents and Settings\nsevilgenius\Recent\DSCN0441.lnk 7/24/2006 4:24 PM 431 bytes Hidden from Windows API.

Is it possible to locate any of the above links, right click on each, and determine in 'properties' what command string and/or filename is being referenced?

The following step might be helpful:

http://www.google.ca/search?hl=en&q=...e+Search&meta=




We certainly haven't found anything that would help name a potential 'rootkit' or to identify a possible controlling infection agent.

Can you please provide info on the following?:

Which application(s) initially identified the possible existence of a 'rootkit'? Can you provide more details as to what the alert or warning details were?

Are there any outward noticable signs of an infection (such as slowdown or excessive CPU activity)?

as far as following the links i cant get to them because they refer to my digital camera card i had in pc at the time. 100nikon is folder on the camera memory card and the other links are just pics.
the first time it said anything bout a rootkit was when i was doing something on pc and it popped up. basically it said rootkit found in firefox.exe. "maybe just a plugin i had" I havent gotten the message anymore but way before this my IE explorer quit working hence the reason i got firefox. IE will open but wont let you go to any pages. And when it first opens all buttons but stop are disabled and the cursor is allways the hour glass but when i click stop they all become avalible and my cursor changes back to arrow. i even downloaded IE7 beta 3 to try to fix it but it does exact same thing as IE6. Other than IE not workin "which i wish it would so i can choose my updates from windows update website" everything seems fine.