There are many different types of rootkits...these are a few examples.
TDSS/TDL2 used random names like TDSSpaxt.sys - TDSServ.sys - TDSSmqlt.sys - TDSSpqlt.sys - TDSSmhxt.sys - TDSSmaxt.sys with randomly named .dll's (i.e. TDSSosvn.dll, TDSSriqp.dll, TDSSurxb.dll). Other variants uncluded UACd.sys, GAOPDXserv.sys, SKYNETtyushyne.sys and those with naming conventions like MSIVXfpqebwwxpiswvenobbndeitvrjiwprcc.sys, ESQULcaqdnewnwtfswbfuqcsdruxpfjpqpfpn.sys.
TDL3 (Alurion) rootkit is the third generation TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect.
TDL4 (Alurion) infects 2 drivers, one being random and the other, a legitimate driver (such as atapi.sys) in the Windows drivers folder. If the legitimate drive is swapped (cured) without the other being swapped at the same time the swapped file becomes infected again. Newer TDL variants can infect the Master Boot Record and MBR partition table.
TDL4/MaxSS creates a hidden partition by modifying a free partition table entry in the MBR partition table at the end of the bootable hard drive. Rather than overwriting the Windows MBR code as its predecessor did, this variant leaves the original MBR code fully intact and gains a foothold onto the system by creating a new, hidden partition where it stashes its malicious file system.
ZeroAccess or Max++ infects a random system driver, overwriting its code with its own infected driver, hijacks the storage driver chain in order to hide its presence on the disk; creates a new kernel device object called __max++, creates a hidden file system, downloads more malware, and opens a back door on the compromised computer.
Rootkit.boot.SST.B (and SST.A) is the MaxSS modifcation of TDL4 and infects the VBR (volume boot record).
Olmasco (also known as SST, MaxSS) is a modification of the TDL4 bootkit and the second to use VBR (Volume Boot Record) infection to bypass kernel-mode code signing policy.
More detailed information about various rootkits can be found in the Glossary of Malware Related Terms
If you were infected with this type of malware you would be experiencing signs of infection
and various problems with your computer. These are some examples (not all are present as symptoms depend on the malware variant and extent of infection).
* Google search results redirected as the malware modifies DNS query results.
* Infected (patched) files like atapi.sys, iastor.sys and others in the Windows drivers folder.
* Internet Explorer opens on its own.
* Pop ups when no browser is open.
* Mouse clicking sounds or suddenly freezing.
* Heavy network-activity without any obvious reason
* Services.exe is constantly increasing in size or using a lot of memory.
* New service created, connected to a new user created that links to an exe file.
* BSOD and Stop 0x0000007B error message while booting the system.
* Random Audio/Radio/Voice ads.
* Commercials in foreign languages.
* Repeated Fake alerts indicating the computer is infected.
* Redirections in all browsers.
* Redirection to a phishing screen asking for personal information when attempting to log into ebay (Paypal, gmail, Yahoo! mail, etc).
* Infected consrv.dll file which places various files in a random folder in the systemroot\INSTALLER folder.
* Hidden malicious partition.
* Presence of C:\WINDOWS\$NtUninstallKB3057$, %WinDir%\$NtUninstallKB32069$, etc folder
* Presence of system64 folder in C:\Windows
* Booting issues.
* Infected/modified Master Boot Record (MBR)
* Infected/modified Partition Table
* Infected/modified VBR (volume boot record)