credit card compromised

Are you using Linux or windows? F-secure is known to have vulnerabilities in Linux

I"m using windows XP with internet explorer

Either a rogue website, or you computer has a trojan on it.

Doesn't have to be a problem on your PC, it could be the retailer that is compromised though that is unlikely at proper web shops. It is more than likely someone copying your details when you phone to order.
You have very little if any liability for losses using cards so don't sweat too much about it - use one card for all Internet transactions and always check the statement online and you'll soon spot any iffy ones, and if card gets used you only lose the use of that one.

Of course if you use lots of sites that are based around hacked software then it is possible any of the software is full of trojans that may well compromise your PC ;-)

ns

Comlacently trusting software to keep you safe is always a bad mistake.

Viruses, exploits, phishing sites and the like are only protected against by virus software if theyre already known about in the first place.

Take a phishing site for instance its hard for software to detect, most only do this by using a blacklist of known sites and checking against that list before establishing a full connection, if the site isnt on the list then our shit outa luck.

The fact is they're also very easy to set up.

Mirror a site to your own server.
send a message to the DNS telling it you've changed address and voila all traffic is now forwarded to your site.

DNS servers (the things which tell a computer "google.com" is really 74.125.53.100 in computer speak)
These work much the same way as a postal system, imagine you've moved house you go to the post office and let them know you want a redirect and they set one up for you with very little in the way of verification.
Because so many people are moving house all around the country it would be impossable for the postal system to fully verify everyone so they only need a limited set of credentials.

Hackers just fake these credentials (knowing that the DNS isnt going to really check every detail) and gets all the traffic thats supposed to go to say your banks server to their server. (so when you type google.com instead of being sent to 74.125.53.100 you really get sent to say 94.142.241.111)

The easiest way to spot these is to check that the server is certified.
All transactions should take place over SSL (secure webpages) and these should have a padlock icon on the bottom bar of your browser and the address bar should be prefixed with HTTPS:// instead of just HTTP://

Double click on the padlock and it will give you certificate details (which can also be spoofed but its not as easy as merely mirroring a site and forgetting about the headache of getting a certificate)

If the page is just plain old plain text http:// or if it doesnt have a valid certificate then chances are its a scam and you shouldnt be giving ut any sensitive details like accounts and numbers.