Possible false positive?

[nukecad]

Hi all,

 

A month or so ago I added Junkware Removal Tool to my regular weekly scans (CCleaner, Defender scan, SAS, MBAM, JRT in that order).

I have noticed that JRT keeps finding and removing the same file (The others ignore it);

C:\Users\myname\AppData\Roaming\sp_data.sys

This file then gets recreated next time I boot.

Results of a google search are ambiguous as to whether this is Junkware/Malware/Virus or not, and I cannot find a description as to what this file is actually for, or what process/application uses it.

The contents of the re-created file are always:

[Main]Mode=1ColorTableName=X551MA_8086_AF0620ECColorTemperature=50IsSupportedMode=1

X551MA is my Asus laptop model.

So does anybody know just what this file is?

Is it a false positive in JRT?

If not then what is it?
And what is the likely source that is recreating it on every boot?

[pondus]

upload  sp_data.sys  to www.virustotal.com and test, if scanned before click rescan for a fresh result

post link to scan result here

[thisisu]

Hi,

 

Thanks for your report.

 

That file probably is related to ASUS

 

X551MA being the model number of the product

8086 being a vendor number associated with Intel

Unsure about that last string (AF0620EC)

 

In any case, I'll remove detection for it in an upcoming build if it is constantly readded. But no, it doesn't appear to be malware related. It's just an unusual place for any software to drop a system file.

 

Regards

[nukecad]

Thanks for the replies;

Pondus,
I had already checked it with virustotal after making the OP, and decided that it was indeed safe.
Just for info here's the result from a new scan:
https://www.virustotal.com/en/file/e48d105884e0fca52d2e8042c88a14616d0a3db213093755ba494ab2026c3768/analysis/1452686004/

thisisu,
Yes, it's an Asus laptop with an Intel processor and Intel HD Graphics
I did a search for the string 'AE0620EC' and found a Chinese site for HTTP headers that links it with an IP, 175.6.32.236
That IP looks up to- near: Changsha, Hunan, China
A further search shows that there is indeed a large Asus factory and service centre located in Hunan.

Just a case now of finding out just what the file is, and what application is using it.
(Probably it will be related to the graphics card).

Once again thanks for taking a look.

[thisisu]

I've delisted this one and another similar file in version 8.0.3 which will probably be released within the next few days. They appear to be from ASUS, but if it gets returned on reboot, there's really no point in JRT deleting it.

[nukecad]

Cheers thisisu,

 

I still never found out exactly what is using/recreating that file, couldn't be bothered spending too much time on it once I decided it was harmless.

 

Look ing forward to 8.0.3

[thisisu]

It's probably a preinstalled software from ASUS but just wanted to give you a heads up that 8.0.3 was released today.