An "Undetectable" Rootkit
is one that installs a kernel-mode driver so that it can filter-out all mentions of its processes and files from datastreams.
Evidently, such a rootkit was installed on my computer, and the only way that I could ever get rid of it was to nuke the HDD and re-install everything. I did not have any disk and partition "imaging" software at the time, nor an external HDD on which to store it, so the task was long and arduous. And the rootkit was continually re-installed until I had enough evidence that its origin was a website which I frequented almost daily for over ten years.
During my investigations, I tried a Bart PE CD which I had made after Windows XP SP2 was installed. However, it didn't have any anti-malware software on it. So I used a Linux Live CD but it just contained software for installing Linux on the computer. Eventually, I created and used an Ultimate Boot Disk for Windows that had some, but not enough, tools on it for finding malware.
On the face of it, the rootkit driver was not loaded and running, since the system booted from the CD. The problem then became finding and identifying which files that were stored on the HDD belonged to the rootkit. Malware scanners proved useless, apparently because they did not have a signature for any of the rootkit's files. Then again, why would they??
For Windows XP, not even Microsoft can give a definitive list of what their own installation software installs on any specific computer. Thousands of files are stored in C:\Windows, which most likely contained the rootkit's kernel mode driver and the executable which installs it, since that is the only root-level directory which is accessible during system boot.
That also assumes that the rootkit hasn't altered the bootstrap loader and/or stored files on Track 0, or in the 10 MB that all Windows OSes leave at the end of every internal HDD that they partition. The executable that installs the rootkit's kernel-mode driver could be a modified .DLL which is loaded and run by a Windows OS component during system boot (e.g., svchost.exe).
The sum of my experience was that none of the twenty-plus AV programs that I had obtained, installed and ran ever detected the rootkit. How would they?? Booting from a CD with a raft of scanners installed on it would not make any difference, unless at least one of them has some means of identifying the rootkit files that is not a signature.
None of the anti-rootkit software found anything specific, either, yet the presence of the malware was quite evident from its behavior, i.e. the activities in which it engaged while it was running. As far as I know, that rootkit's files have never been identified to this day.
