I’m bumping this as this thread comes up on a Google search… I am seeing the same result on my old Thinkpad Laptop.

Just like the OP, the system seems fine and doesn’t alert on any virus scans. But it seems the unusual hexidecimal ntoskrnl.exe call is only present on infected systems, so it has me worried. I don’t appear to have any hidden partitions though that most of the infected systems show.

The unknown MBR code is probably due to this being a Thinkpad which uses a 1 gig hidden partition to restore the main partition to factory shipping state.

The “suspicious” tfsndres.sys file seems to be fine… I uploaded it to VirusTotal and it came back clean.

I have no idea what sprz.sys is. That file isn’t present on the system.

Here’s my whole log:

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-08 08:53:59

08:53:59.930 OS Version: Windows 5.1.2600 Service Pack 3
08:53:59.930 Number of processors: 1 586 0xB01
08:53:59.930 ComputerName: LAPTOP UserName:
08:54:02.865 Initialize success
08:54:09.334 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-3
08:54:09.344 Disk 0 Vendor: Hitachi_HTS541060G9AT00 MB3OA61A Size: 57231MB BusType: 3
08:54:09.374 Disk 0 MBR read successfully
08:54:09.384 Disk 0 MBR scan
08:54:09.394 Disk 0 unknown MBR code
08:54:09.404 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 56293 MB offset 63
08:54:09.434 Disk 0 Partition 2 00 1C Hidd FAT32 LBA MSWIN4.1 937 MB offset 115290000
08:54:09.454 Disk 0 scanning sectors +117210240
08:54:09.694 Disk 0 scanning C:\WINNT\system32\drivers
08:54:23.174 Service scanning
08:54:24.876 Modules scanning
08:54:35.471 Module: C:\WINNT\system32\dla\tfsndres.sys SUSPICIOUS
08:54:37.164 Disk 0 trace - called modules:
08:54:37.234 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sprz.sys >>UNKNOWN [0x86f87938]<<
08:54:37.584 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86e5c840]
08:54:37.604 3 CLASSPNP.SYS[f7681fd7] → nt!IofCallDriver → \Device\00000095[0x86eb59e8]
08:54:37.625 5 ACPI.sys[f74c0620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP1T0L0-3[0x86ee0d98]
08:54:37.655 Scan finished successfully
08:54:56.111 Disk 0 MBR has been saved successfully to “C:\test\Install\MBR.dat”
08:54:56.141 The log file has been saved successfully to “C:\test\Install\aswMBR1.txt”