I have seen a new form of malware and I am getting paranoid about that version of malware. I suspect an infected web page or web add tells the browser it needs a new add-on to view the page properly. Somehow it avoids even asking if it is OK to add the addon. I know this because, I can be browsing the web go away for a while and my sandbox is telling me I can't update my browser while it is sandboxed. That means I didn't mouse over anything because I wasn't even at the computer and I certainly didn't OK the update. Because these updates are added to your user area you do not need admin right. Once attached not only does it have firewall privileges, it has access to what ever is sent to the web via your browser before encryption and WILL add malicious code to all the executable you download. Because it is not a process, but a sub process to your browser I do not thing it shows up on Hijackthis.
I will continue to browse sandboxed. I am adding a add block addon. Is there anything else I can do?