What did I do? I gave up on Microsoft and retreated to Linux. And if I run Windows software on Linux I use a non-privileged user account to do so. Windows XP only sees the light of day if I need to run DirectX games.
But, short of abandoning your OS of choice altogether, it sounds like you've got the idea right: stay nice and paranoid. The easiest way that malware gets onto machines is if people download software from the internet, without having strong confidence that the software is not malicious. If you can avoid downloading the myriad pieces of tat that are on offer, you're off to a good start (and remember that browser add-ons are also to be suspected unless you check them out carefully).
Your absolutley right, I had a Windows Secrity Alert pop up and told me my Anti-virus was off line and could not be found, it then asked me if I wanted to install a Malware Blocker, which itself was a Trojan, luckily I never opened the Virus but the pop up kept coming and took me nearly 3 days to track it and delete it, that is of course if I have, we shall see ????????