Actually a rootkit will be found as a consequence of, not surfing per se, but not patching the operating system vulnerabilites, i.e. not using the free MS update facility.
A net hijacker will have the ability to install anything on your machine, incl. rootkits! Software that have a rootkit functionality are being sold commercially as "surveillance" programmes, apparently quite legally. I've encountered some myself on some of the hijacked machines I've cleaned.

There's no need to mystify this, however. Keep your system current, as well as your antivirus set, and you'll be safe. I recommend a commercial vendor of AV software that has a fast response time to new outbreaks -- saving in the wrong place can ultimately become very expensive.