This is a common attack vector frequently used by Russian organized crime; I see it often and have been tracking the people responsible for years.
Essentially, the scam works by opening a browser window that shows a phony "virus scan" in progress, then displays fake warnings of non-existant viruses and downloads a zip file or an executable which will supposedly "fix" the infections. People who are duped into running the download, naturally, become infected.
There are many techniques used to route traffic to the phony virus scan pages, but the most common involves creating Web sites, either on servers living in Eastern Europe or on legitimate Web servers that have been hacked, which are designed to trap Google traffic.
The Russian organized crime figures who do this will create Web pages loaded with common Google search terms. Often, these pages scan Google's list of most popular search terms automatically, then automatically generate gibberish that contains those search terms.
The fake pages full of gibberish get very, very high Google ranking because the organized criminals link to them from thousands or even tens of thousands of other Web sites. Often, these links are from comments in blogs and online forums.
Anyway, the sites are stuffed full of keywords that are popular on Google. When you click onto the site from a Google search, it redirects you to the bogus "virus scan" site that downloads the malware.
A relatively new way to trap unwary users is to create a Web site that is full of pictures that contain ALT tags stuffed with Google keywords. The pages full of pictures look at the "signatures" of incoming traffic. If they see a Google spider, they serve up the pictures. If they see a browser, they redirect to the phony "virus scan" site.
So when you do a Google image search, some of the images you see will be bogus. When you click on them, instead of being taken to the picture, you will be redirected to the malware site.
I have been working on tracking these guys for a number of years. It's difficult to do anything about them, because invariably the people responsible are Russian and thus outside the reach of US law, but it's relatively easy to get their malware sites shut down. (It's a bit like playing whack-a-mole, because for each site that's shut down they put up a new one, but at least it slows them down a bit.)
If you can remember the address of the site you saw, please contact me offlist at tacitr (at) aol (dot) com. I'd like to look into it and, if possible, shut it down.
