I recently decided to lower my system defences and do away with live AV & Spyware/malware blockers - I hadn't had anything worse than a tracking cookie in 20+ years of computing - not just not found but not blocked either.  I was still doing static sweeps with a random choice of various free and online scanners evey other week just to check.

I'm a very, very safe and savy internet user - or thought I was - and I had a router firewall.

Bad choice. Very bad choice.

Within a month things just weren't "feeling right" but I ran a sweep and nothing there. Two days later one of my USB devices stopped working and then Explorer started crashing.  I spotted a rogue device in Device Manager's hidden devices list but the sweeps I was doing weren't picking it up - rootkit.

It was a nasty little bugger that wanted to party with some friends so had started downloading them too.

Eventually managed to get rid of it with a combination of Malwarebytes, Spybot & NIS 2009. 

But I wasn't 100% sure so I decided to reformat anyway.

Never assume you are too smart or to aware to get caught.

One final word of warning. If you have been caught by anything check out the nature of the beast - if there is a risk that personal details could have been captured then you must change all your passwords and, if you do any financial transactions on the Web, you must notify the banks/credit card companies/etc. and they will probably insist on blocking your cards and issuing new ones.  Which is a complete pain in the arse and much more annoying that reformatting and rebuilding a system.

Remember Murphy's Law- If something can go wrong, it will.

I've been fortunate in this respect.  In several decades of computer use, I can't recall having picked up any malicious programs on my machine (Except Windows, hurr durr :3).  Tracking cookies are as bad as it ever got.  How was this possible, you might ask?  Well, there are several factors:

1) I'm really, really lucky.  I don't count on it, so I also have...

2) A firewall up at all times.

3) An Antivirus running ASAP in the boot process.  I may turn it off later, after the comp's up and running and I need all the CPU cycles I can get, but I never go without one at startup or during online activity.

4) As many security updates as I can get.  Functionality and enhancement updates can wait, security updates cannot.

5) Know thy enemy, know thyself.  My machine's been clean partially because I've had to remove so many malicious programs from other computers, be they friends, family, business, or public.  I don't just remove them- I like to dissect them to see exactly how they did it in the first place.  It's a lot easier to counter an attack when you know how they do it.  It's also a lot easier to spot something wrong when you know exactly what you machine does when it's clean.  Any difference from the status quo throws up a red flag.

6) Don't be hasty.  "Do I really need this?" is always a legitimate question, and the answer is usually "No."  The latest software is, by definition, also the least tested, meaning it's likely rife with security holes and other problems.  Windows Vista is an excellent recent example of this- the SP1 update contained a ton of items that fall under the "Why didn't they do this from the start?" catagory.  It was so bad that a great many people decided to stick it out with XP.  Vista's managed to improve quite a bit since then, but that's not much solace for those that got burned because it hadn't received a good real-world test.  A pure gaming rig can afford to take that risk, but if I'm using a machine for something important, I prefer tried and tested programs.

7) Keep it simple.  The more you have, the more that can go wrong.  I can count all the programs in my system tray on one hand, and every one of them is an essential function.

Oddly enough, the weakest point I've seen in system defense, as revealed by my dissections, isn't the OS, the net connection, or a flaw in the security programs- it's the user.  It all boils down to an assumption by the malicious coders that people are easily manipulated idiots, and they're right.  There's no security system in existance that can protect you from your own ignorance.  Luckily, you can fix this!  All it takes is a little time and effort

Find out how safe you are. Try this awesome site that will try to find your PC. Mine is invisible.  https://www.grc.com/x/ne.dll?bh0bkyd2

I don't.

I'm assuming that the firewall is more of a pain in the ass to use than the trojan is to clean off once every couple years when I actually get an infection from one of the very few widely distributed and not previously fixed exploits.  I'm assuming that the antivirus is more likely to delete something important than that virus is, that the antivirus itself is more damaging than the virus is to my system performance to start with, and that I might as well have the rare virus infestation instead and run antiviral software as needed instead of in perpetuity.

I saved myself hours of irritation in return for some occasional entertainment.

Harmless, utterly harmless.  ActiveX was on a fuck off and die unless I trust your site basis long before that came out.  That and Java script were two primary exceptions to the low security setup I was running.  I never liked giving IE any more functionality than it absolutely needed.  I was also equally unhappy with the mandatory security level enforced by IE7, so it's since been dropped entirely for pissing me off.  I don't want a nanny, especially on that blocks popup windows when I'm the one trying to open them.

I have better odds of being in a car wreck than I do getting screwed beyond amusement by a computer virus.  So first I should avoid driving without having a car encased in foam.