Double ntkrnlpa.exe, strange windows, unknown device

Discussion in 'malware problems & news' started by SystemJunkie, Oct 8, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Take a look on following screens, I made several, that I don´t need to create another thread. Strange things, maybe a bit paranoid, but I want to see your opinions.

    http://i12.tinypic.com/47wzfab.png

    So you see two ntkernels ond 2 different adresses, is this normal behaviour?

    http://i12.tinypic.com/2ex4x05.png

    What is IME or MSCTFIME, seems with every new process a new hidden IME window is created.
     
    Last edited: Oct 10, 2006
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Do you have a PAE system with more than 4G of memory?

    Have you noticed anything with the input method editor in the past?
    There has been some that use that sort of thing - if it is one of those - it might be similar to this?
    http://www.symantec.com/security_response/writeup.jsp?docid=2006-071212-1723-99&tabid=2

    There is a vulnerability with the korean IME and apparently samsung's site was affected - but there has been a patch out for a while
     
    Last edited: Oct 8, 2006
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    No I have 1 GB Mem.

    But I don´t understand why ntdll read out shows always two ntkrnlpa´s, like in IceSword.

    Maybe it is useful to mention, that I can kill all window titles except the IME´s.
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    The reason I asked, is that I think of ntkrnlpa.exe as the image for x86 systems with more than 4 GB of physical memory (PAE). It is possible, I think, to run PAE with less than 4G if you make the effort to config it.

    I don't know what you are running, but on mine ntkrnlpa.exe is on the disk, however I can't find it running as a system process.
    Mine (xpsp2) is running ntoskrnl.exe for the job -- but I should note that the original WinCD file source which is written into hard drive's ntoskrnl.exe on my system is the multiprocessor version (ntkrnlmp.exe). Are you running 2k or vista? I was wondering if your ntkrnlpa file had been overwritten with a nasty and shouldn't be starting?
    I'm also not sure exactly what the PID 116 that your img relates to is calling itself - the uppermpost image stopped at 114(the PID of ntkrnlpa) plus a sys file. Why would you say it's in ntdll ? It may be that I'm missing something about those images - I haven't used IceSword.
     
    Last edited: Oct 8, 2006
  5. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I actually use winxp pro and vista beta, both systems have this massive hidden window title IME overflood. Strange thing.

    I don´t use address extension, probably a nasty. I have a Dualcore X2 CPU but nothing more.

    Ntkrnlpa.exe is located in sysdirectory.

    Unfortunately on Vista Beta IceSword does not work, insufficient right, even when tried to run as admin.
     
    Last edited: Oct 10, 2006
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    I'm less 'hot' on the idea of an overwritten ntkrnlpa after what you've said.
    I think it's probably there for this: (from the PAE link above)
    PAE mode can be enabled on Windows XP SP2, Windows Server 2003 SP1 and later versions of Windows to support hardware-enforced DEP.
    but an (outside of the system) compare on it wouldn't hurt.
     
Loading...
Thread Status:
Not open for further replies.