normal ntoskrnl calls are *.sys files, This call to an hexadecimal address looks suspicious. I have scanned the ntoskrnl.exe file on Joitti but it looks to be clean.
The subject computer seems to be operating normally and virus scans with MBAM and AVAST report no viruses. This computer has shared a USB drive with a known infected computer, however the USB drive continues to check clean with MBAM and AVAST.
I’m bumping this as this thread comes up on a Google search… I am seeing the same result on my old Thinkpad Laptop.
Just like the OP, the system seems fine and doesn’t alert on any virus scans. But it seems the unusual hexidecimal ntoskrnl.exe call is only present on infected systems, so it has me worried. I don’t appear to have any hidden partitions though that most of the infected systems show.
The unknown MBR code is probably due to this being a Thinkpad which uses a 1 gig hidden partition to restore the main partition to factory shipping state.
The “suspicious” tfsndres.sys file seems to be fine… I uploaded it to VirusTotal and it came back clean.
I have no idea what sprz.sys is. That file isn’t present on the system.
Here’s my whole log:
aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 08:53:59
08:53:59.930 OS Version: Windows 5.1.2600 Service Pack 3
08:53:59.930 Number of processors: 1 586 0xB01
08:53:59.930 ComputerName: LAPTOP UserName:
08:54:02.865 Initialize success
08:54:09.334 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-3
08:54:09.344 Disk 0 Vendor: Hitachi_HTS541060G9AT00 MB3OA61A Size: 57231MB BusType: 3
08:54:09.374 Disk 0 MBR read successfully
08:54:09.384 Disk 0 MBR scan
08:54:09.394 Disk 0 unknown MBR code
08:54:09.404 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 56293 MB offset 63
08:54:09.434 Disk 0 Partition 2 00 1C Hidd FAT32 LBA MSWIN4.1 937 MB offset 115290000
08:54:09.454 Disk 0 scanning sectors +117210240
08:54:09.694 Disk 0 scanning C:\WINNT\system32\drivers
08:54:23.174 Service scanning
08:54:24.876 Modules scanning
08:54:35.471 Module: C:\WINNT\system32\dla\tfsndres.sys SUSPICIOUS
08:54:37.164 Disk 0 trace - called modules:
08:54:37.234 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sprz.sys >>UNKNOWN [0x86f87938]<<
08:54:37.584 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86e5c840]
08:54:37.604 3 CLASSPNP.SYS[f7681fd7] → nt!IofCallDriver → \Device\00000095[0x86eb59e8]
08:54:37.625 5 ACPI.sys[f74c0620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-3[0x86ee0d98]
08:54:37.655 Scan finished successfully
08:54:56.111 Disk 0 MBR has been saved successfully to “C:\test\Install\MBR.dat”
08:54:56.141 The log file has been saved successfully to “C:\test\Install\aswMBR1.txt”
The tfsndres.sys file could still be an issue as a VT scan can’t really replicate what the aswMBR scan is doing. But there are references to this file being associated with a backdoor trojan.
It is also associated with Drive Letter Access by Sonic DLA (Sonic Solutions), IBM DLA or VERITAS Software, Inc. Do any of those ring any bells of installed software ?
The sprz.sys, is a different ball game and most relate to malware, so will need further investigation from essexboy or other malware removal specialist.
No problems at all that I can tell. The scan was done due to concerns from a rootkit/malware outbreak in 12/2011 that seems to be on some sites, in my case, somethingawful.com.
This is an old IBM Thinkpad, so tfsndres is IBM DLA most likely.
Daemon Tools 4.10.0218 is installed. That helps explain the sprz. Thanks!
