Raz0r wrote:
You might have picked something up when poking around SweetFX downloads as you mentioned 
As Razzy said - SweetFX is actually blocked by Chrome as malicious software. When I saw this I went into alert mode then, in relation to that download, off that site. I got the download via Internet Explorer (as Microsoft is less cautious than Google [eg. Java]) and looked into it.
The active component of sweetfx, being opengl32.dll was UPX compressed (as identified by looking at it in a hex-editor), that alone sends of massive alerts to any security conscious user. UPX is a real-time in-place compression - imagine a self-extracting zip executable with 1 file in it, being an application which gets unzipped and ran when the zip archive is opened - its like that but it all happens in memory. Point is, it's really only used to hide what the application really does, as you can't see the apps library imports and exports - all you see is a bunch of compressed data; therefore is used by the baddies to hide what it does.
So I decompressed opengl32.dll to convert it back to its original compiled state, that I actually could to that means it's either legitimate, or, the bad guy is too dumb to know how to stop a UPX decompress. It's compressed size was about 300KB, and uncompressed about 1MB - absolutely no need for the complexity and and overhead which in-place compression causes, especially for a dynamically linked run-time library. I checked all its import and export functions and nothing flagged as being inappropriate - like no wininet.dll imports. I also searched through the data for obvious IRC or FTP or WWW access and manually loading .dll's for live hooks (instead of declaring imports) - didn't see anything [obvious].
BUT, I know how an app can have full Internet access without accessing any libraries except shell32 - and that combined with a simple cypher to scramble text - could render passive detection useless. Sooo, I then did a Google search for known issues with sweetfx, specifically Trojan based, and didn't find anything to raise suspicion. That doesn't mean it's clean - that download link may not be a legitimate sweetfx release - but at this time I stopped checking as the odds were it was clean (although I was not going to use it myself!).
I did all this right after that post was made, but decided not to report on the result of my findings. But, if you want a culprit, that's my starting place. (MWB did skip it in a scan; don't let that think you are safe, MWB also skips all my toys too.) Just saying, if MWB picked it up, it was by its behavior, not by a viral signature - and if it blocked something coming off "KR", it would of been a pushed download from another site - meaning, you are already compromised - and most-likely by some unsigned app as sweetfx.
