A Webroot scan subsequent to the accident found multiple spy cookies but no viruses.
It now looks like the wrong sites came from misspelling "Khan Academy" as (incorrectly) "Kahn". I also found fake entries for the misspelled .com version in Facebook. (I also corrected the Khan spelling on a May 31 post on the my main blog.) It's easy to scramble unpronounced letters in other languages.