BOSTON (Reuters) - A few weeks ago Candace Locklear’s office computer quietly started sending out dozens of instant messages with photos attached that were infected with malicious software.

She was sitting at her desk, with no sign that the messaging software was active. By the time she figured out what was going on, several friends and colleagues had opened the attachments and infected their computers.

It took eight hours for a technician to clean up her computer. But because the malicious software worked so secretly, she’s still not convinced that all’s clear.

“I’d like to think that it’s gone. But I just don’t know,” said Locklear, 40, a publicist in San Francisco. “That’s what is so frustrating.”

Computer security experts estimate that tens of millions of personal computers are infected with malicious software like the one that attacked Locklear’s machine. Such programs, generally classified as malware, attack companies along with consumers.

Some are keyloggers, recording every key stroke that the user enters -- sending valuable bank account information, passwords and credit card numbers to hackers.

In July, hackers used keylogging software to gather passwords to databases at the U.S. Department of Transportation, consulting firm Booz Allen, Hewlett-Packard Co and satellite network company Hughes Network Systems, according to British Internet security software maker Prevx Inc.

And other malware programs turn PCs into “zombies,” literally giving hackers full control over the machine. The zombies can be instructed to act as servers, sending out tens of thousands of spam emails promoting counterfeit medications, luxury watches or penny stocks without the PC owner ever knowing about it.

The computer that controls the zombies -- known as the command and control center -- is able to change the text of the spam depending on what his or her customer wants to sell.

A woman on her computer in an undated photo. Computer security experts estimate that tens of millions of personal computers are infected with malicious software like the one that attacked Locklear's machine. Such programs, generally classified as malware, attack companies along with consumers. REUTERS/File

Monster Worldwide Inc said last month that confidential contact information of millions of its job seekers was stolen by criminals who used zombies. Contact data for 146,000 job seekers using the official U.S. government jobs Web site was also taken.

Monster said it would beef up its security, but even with enhanced protection there are no guarantees.

Security experts say that while companies and consumers need to be vigilant to protect themselves against Internet-borne threats, determined criminals are hard to beat.

“I hate to scare people, but there is never 100 percent (security),” says Gadi Evron, a researcher with Internet security firm Beyond Security. “If you want to know for sure, never do anything with your computer and never connect to the Internet.”

Evron has organized conferences between government and industry researchers to fight hackers who set up botnets, or networks of millions of zombies. He said the picture painted by some presenters was depressing.

“The problems are not getting solved. They are getting worse,” he said. “The bad guys are making a lot of money.”

Still, he and other security experts recommend that PC users take basic precautions, including installing up-to-date security software, keeping current with updates that software providers distribute over the Web, and backing up files.

There’s a wide range of PC security software available, including ones that were recently updated or about to be introduced by BiDefender, CA Inc, Check Point’s Zone Alarm, F-Secure Corp, Kaspersky Labs, McAfee Inc, Microsoft Corp, Prevx Corp, Symantec Corp’s Norton Security and Trend Micro Inc.

More important than security software, users need to monitor their own behavior. The bulk of malware is installed on computers by users who either click on a Web link or on a file that is attached to an email or instant message.

PC users can greatly reduce the risk of infection by only visiting familiar Web sites and avoiding unknown attachments.

“You won’t know you are infected until one day your ISP turns you off or restricts access or money starts disappearing from your bank account,” said Adam O’Donnell, a senior research scientist with Cloudmark, which sells anti-spam software.