I didn't think it was possible. I have McAfee Anti-Virus, CheckPoint Zone Alarm, SpyBot Search & Destroy, and more... Yet, suddenly when I Googled, my search results "hijacked" me to places I didn't want to go. I felt violated. Was my data secure? How can this happen? What could I do? This is my story, along with 10 tips-and-tricks to help if it happens to you.

Myth: If you have anti-virus software installed, updated, and running, you keep your computer "up-to-date", you don't open unsolicited email (or attachments) and you don’t go to “unusual” websites, your computer should be safe.

That’s what I thought. I have my computers scan for viruses at least once a week. All drives automatically get backed up at least once a week. I have security programs which stay updated. Windows Update is on and checking for patches. Since I do web development and some Flash coding for a living, I thought I knew it all. I was wrong.

It started when I was Googling in Internet Explorer 8. Every once in a while, a search result would take me someplace strange. Then it started happening more often. Things were fine in Firefox 3.5.6, then it started happening there. Now, add random pop-ups to the list.

At first, I didn’t worry. I ran McAfee. It found nothing. I knew that was false- this is a classic Trojan or Hijack… Ok, let me try SpyBot Search & Destroy, I thought. Nothing. Ok, how about IOBit Security 360? Nothing. Was I going crazy? Google searching (when I was actually able to) suggested HiJack This. Nothing. Malwarebytes' Anti-Malware? Nothing. The list kept growing.

There’s a lot of internet sites that offer suggestions- download this piece of software, disable your current anti-virus (it conflicts with the download), run this other application that I never heard about. Post the result logs on some website that tell the world what you have installed. The sites promise that someone will get back to you. It results in more software downloads, more logs, more tests. Meanwhile, these applications are doing who knows what to your computer. More problems result.

I didn’t take this approach. Maybe it’s because I don’t trust anyone. “I’m a programmer, there’s got to be a logic to this.” I thought. I was right.

First, try to isolate the problem. Let me uninstall Internet Explorer 8 and only use Firefox. The problem went away. You would think the story would end there, but it can’t. A lot of software requires .dll files that get uninstalled when IE is uninstalled. So my symptoms went away, but now other software didn’t work- and was the hijack/Trojan still around?

Next- Ok, let’s try to figure out what’s going on when I search in Google. I have a router on my network, so I was able to view network traffic logs. That’s when I noticed the first sign. When I went to Google.com, not only did my logs report Google IP/http addresses, it also reported http://b11335599.cn. This didn’t make any sense. It’s certainly something out of place.

Above: If you have a router (or other anti-virus software) that can track network traffic, that will help you troubleshoot what's going on. You'll need to login to your router (typically http://192.168.0.1), enable and view logs, know your internal LAN IP address so you can differentiate it from other computers on your network (mine is 192.168.0.252), and track destination URLs and IPs.

When I saw the strange "http://b11335599.cn" appear in my list, I Googled that http address, and only saw one search result. Yep, it’s a hijack. Actually, worse. It’s a Rootkit TDL 3. Here's the link I found, and note that it actually shows what programming was used to create the virus! (That's scary!) Rootkit TDL 3 is a fancy way of saying it’s something that is NOT EASILY DETECTABLE by anti-virus software. Worse, it “injects” itself into other applications, making it even harder to detect. These viruses can do almost anything. My version (besides the hijack) also erases and destroys hard drives that contain backup data files. Yes, it searches for those files and destroys them! (uh-oh!)

Since it infects files that are currently running as part of Windows, you can’t disable them without disabling Windows. With Windows disabled, you really can’t fix anything.

Lucky for me, one software application was able to detect and repair Rootkit TDL 3s. Hitman Pro 3.5.3 did the trick for me. (I certainly can’t guarantee it will fix everything – I’m not necessarily endorsing this product – it just worked for me in this instance. Something better may work for you, it depends on your symptoms.)

Above: Hitman Pro shows the virus. It was the only application that could find it. I tried over 10.

So things are back to “normal”, at least for the time being. Here are some lessons learned.

1) Anti-virus programs and malware detection programs don’t catch everything. It’s a false sense of security. You need to have a disaster plan.

2) You need to have a backup disaster plan. These viruses are so tough now that they actively go after backup and restore files. So, even if you’ve backed up data, it might not be secure.

3) If you have to do a Windows Restore, be prepared to reinstall your anti-virus software. Usually the Windows Restore process doesn’t work well with these applications.

4) You may have to work in Windows Safe Mode to search and destroy viruses. That means that you may not have network support, and certain “devices” like external drives may not work. You might need a way to copy files to this computer. So, you may need a “second” computer to work with, along with a portable drive of some sort, or even a floppy disk. Remember those?

5) Backup data weekly - automatically to an external drive. Then, backup important files manually once a week onto a removable USB drive and keep that drive disconnected from your computer. (Re-writable cd-roms, DVD or portable USB drives work well here)

6) Keep a Windows Operating System CD handy.

7) Know the serial numbers of all your important software. Keep a hard-copy printout.

8) Print out your email addresses (Outlook address book) and your Internet Favorites URLs.

9) Keep an old computer around. Keep it disconnected from your network, but keep it updated. It can serve as a backup if you main computer is under attack. (Of course, PDAs could work for checking email, etc)

10) Take time now to learn how your router works, if you have one. Figure out how to monitor network traffic, so you can detect “strange” traffic when you suspect something is wrong. Be familiar with your network firewall- how to enable and disable it. Have a basic understanding of “ports”.I NEVER use P2P file sharing, because it opens your ports. Enabling Windows Media Sharing is just as scary. Keep it off if you can.

Well, that’s my attempt at sharing my story. I hope it helps someone. Good luck!