Helping people with computers... one answer at a time.
An unfortunately common attack vector for malware is via malicious or hacked websites. I'll look at the signs, and the steps you need to take.
I went to a website and the moment I got there, my computer started to tell me that I had virus. I know I did not except for this advertising; I have antivirus and antispyware and it still got in. I found it and put the program in the all users application data. After I removed it and restored to an earlier date, it was gone. I went back to the same site and nothing happened. So, my question is how did it install the program on my computer and why did it not do it the second time I went back to the same site?
•
First, I want to let you know that you were lucky; this approach to malicious infection is incredibly devious and, sadly, often successful.
I also want to say that if you restored from a backup to get rid of it, that's excellent. Unfortunately, other manual approaches to getting rid of malware - including system restore - are not guaranteed to always remove all traces.
Let's review what probably happened.
•
It's A Trap!
It's pretty easy to make something that looks like a very legitimate Windows alert or error message that tells you "OMG! YOU'RE INFECTED! CLICK OK TO FIX IT!".
(I've used a very simple example - actual malware often replicates very complex and official looking alert dialogs and message boxes.)
Of course, if you click on OK rather than dismissing the warning, the fake message box is crafted to take that as a request to download and install malware. In fact, a fake message box can be crafted so that anything that you might do to close it, including clicking the "x" at the upper right or typing ALT+F4 to exit, actually instructs your browser to download and install malware.
Various approaches, including limited user accounts, or Windows User Account Control, can help thwart the attempt or minimize the damage, but on systems where security is lax, this is one way that malware purveyors get on to your machine.
A very common type of malware that does this is often referred to as "hostage-ware", because once installed, it demands payment to download software that will supposedly remove the malware.
Don't. Not only will you have given your credit card information to one of the bad guys, but often, the "fix" simply doesn't.
Avoiding The Trap
Naturally, the common advice is to avoid websites where you know that this might happen.
Unfortunately, as we'll see in a moment, that's easier said than done. Even websites that you can trust can be hacked and this is a common result.
No, as dramatic as it might seem, the only secure way to move on when this type of unexpected and malicious warning pops up is to kill or "End Task" the browser:
By that, I mean right-click on the clock, click on Task Manager, and, in the applications list, right-click on your browser and click on End Task. Repeat for any additional instances of the browser that you find in this list.
This forceful exit causes your browser to stop running immediately and, as a result, doesn't give the malicious software an opportunity to do anything more beyond displaying that message.
Disappearing Traps?
I won't ask why you went back. My first bit of advice would, of course, be don't go back. At least, not until you get some assurances from someone or somewhere else that the site has been fixed or that a typo took you to the wrong site.
As I mentioned above, this technique for distributing malware is one of the approaches that hackers take when they hack into an otherwise legitimate website.
Naturally, you want to be able to trust trustworthy sites. By and large, you can. But every so often, a good site might find itself in this position of inadvertently offering up malware. You can bet that they'll run to fix it as fast as they can when they find out, but in the mean time, visitors could get infected.
So, perhaps, by the time you came back, that's exactly what had happened. The site had been repaired.
The typo scenario is also a common one. It's not unusual to typo a domain name when entering it into your address bar. Hackers know this and often set up fake sites on these typo-domains that spread malware, act as phishing sites, or more.
It's an argument for using services like OpenDNS, which can be configured to block many of these sites, or other tools which auto-correct common typos.
So, it's also possible that your "return" wasn't a return at all, but rather a visit to the real site where perhaps a typo-site caused your original problem.
One thing that I'm fairly certain of: hackers aren't likely to say "Oh, we
already infected this machine once, let's leave it alone this time". 
Article C4788 - April 9, 2011
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
I have disinfected all computers, and it continues to happen, not just daily, but often several times a day. It's not just one site doing it. I can be researching something in google and it will happen before even going to the site to read the article. I have a repairman coming out next week with a new modem and router (both of which date back to our first getting DSL). I am hoping he can resolve the problems.
14-Apr-2011
I replied earlier about being infected daily. You recommended not going to those sites. My repairman said my computer was badly infected, that there were residuals left on the computer after running all the antimalware, virus programs I could think of to get rid of what was infecting my machine. He said it can happen to anyone at anytime visiting all sorts of sites, like looking up recipes, which I do a lot! My husband looks up Christian sites. So the answer no to visit certain sites doesn't work. Since he has disinfected my machine (and he did NOT reformat my hard drive) I have not had a virus. I did have him install a new secured modem/wireless network at the same time.
Posted by: Joyce at April 27, 2011 7:00 AMGood article. Sent it to my entire list of contacts. I have to deal with this problem several times a month. This information will help.
Posted by: Dave duChene at April 27, 2011 7:55 AMDave
I do not know if this will help but in Firefox there is an excellent add-on that is called NoScript.
What it does is prevent the execution of any script form a page you visit unless they are authorised. That means no ads, no flash player etc. unless explicitly authorised.
So far, for me, it has been a great help with reducing warnings of the kind mentioned in the article. It is however, like any line of defense, just one line of defense. Antivirus, antimalware etc. are all part of the picture.
Posted by: Constantine at July 29, 2011 11:19 PMI doubt anyone is reading this far back, but, what I do when I get "one of those . . ." is to unplug my modem and then kill the process in Task Manager. That way nothing can be downloaded.
Posted by: jpChris at August 5, 2011 1:16 PM