Ok, I admit it. I've been had. My machine got compromised by a browser hack today. I’m still trying to figure out how the hell this could happen and how this is possible. I’m using IE 6 which is supposedly patched all the way up to last week.

I was browsing earlier today and I mistyped a URL and ended up on one of those million links on one page sites. Of course trying to get off another new page and one more popped up etc. – the usual. I got out two pages in – fine. It’s annoyance and nothing unusal. So about 10 minutes later I fire up a new browser window and notice that my home page now has a frames like bar at the top and upon inspection my home page has been changed. Incidentally this is kind of interesting – it’s changed to about:blank, except somehow this ends up re-directing to the same links page I mentioned earlier.

In addition, a desktop shortcut got installed and a new ‘Services.exe’ is running on my box. Since I was lucky enough to catch this relatively quickly I did some searching, found the EXE got rid of it, plus a couple of registry links that start it up and it appears all is back to normal. All except about:blank still goes to this links site… so something is still amiss.

My real concern here is how the heck is this possible? My browser security is set to medium and I have all attempts to download anything (ActiveX controls signed and unsigned, Java and scripted ActiveX) set to Prompt in the browser options. Nothing prompted. While I allow script code to run, anything scripting unsafe ActiveX control or trying to download ActiveX controls is set to prompt. It’s one thing to have some malicious script run, but how does the browser have the ability to basically install a program and shortcut on my desktop? Anybody have any insight into how this is possible? Also if anybody has ideas on the about:blank thing. I traced a few Google links in this regard, but they all point at different problems than this one. Is there some way to see what interfaces are plugged into IE? It looks to me something is running as a browser plugin.

Updated:

Ok, so it turns out that this stuff installed a brower add-in - specifically something in a DLL pmegfg.dll. I was looking through the DLL list with ProcessExplorer when I ran into this DLL. I also ran HiJackThis which came after Frank's suggestions and it showed this DLL as a browser add in. I renamed the DLL and no more redirection.

This has been a rather scary experience especially due to the fact that it so casually happened in an environment of the browser that I thought was locked down (still think it was).

The real problem with this that I see though is this:

There's no way to check to see what's installed into internet explorer. it's kind of ridiculous that you can't get a list of all plug in installed from with in IE and have the option to uninstall them. You can see installed ActiveX controls, but you can't see any plug-ins like the Google bar, the Acrobat add-in or as in this case the malicious plug-in.

There's no way to uninstall IE. If it's screwed up there's not a whole lot you can do to 'start over'. Worse it's screwed up on the whole machine - even if you log in as another user after a reboot failures like this happen. Why are these plug-ins running for more than one user - that user didn't install it (or the google bar for that matter). Along the same lines why the heck isn't there a way to completely reset IE to it's installation defaults?

Well, I guess I should feel lucky this hasn't happened to me sooner. But what nice way to waste an evening no?