The sharp rise in rootkit detections on Windows machines is a direct result of adware/spyware vendors using sophisticated techniques to hide processes and prevent uninstall, according to anti-virus vendor F-Secure Corp.

F-Secure the Finnish company, which ships an anti-rootkit scanner in its security suite, has identified ContextPlus, Inc., makers of the Apropos and PeopleOnPage adware programs, as the company responsible for a large number of stealth rootkit infections.

F-Secure chief incident officer Mikko Hypponen said the company's BlackLight technology has discovered the use of "very advanced rootkit technologies" in Apropos, a spyware program that collects users' browsing habits and system information and reports back to the ContextPlus servers.

Like the typical spyware application, Apropos uses the data to serve targeted pop-up advertisements while the user is surfing the Web. Unlike the average worm or bot that use rootkit technologies to avoid detection, Hypponen said the rootkit features built into Apropos aren't being used to hide the existence of the program on the machine.

They're using a very sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes. The rootkit fitted into Apropos is implemented by a kernel-mode driver that starts automatically early in the boot process. When the files and registry keys have been hidden, no user-mode process is allowed to access them.