Double ntkrnlpa.exe, strange windows, unknown device

Discussion in 'malware problems & news' started by SystemJunkie, Oct 8, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Take a look on following screens, I made several, that I don´t need to create another thread. Strange things, maybe a bit paranoid, but I want to see your opinions.

    http://i12.tinypic.com/47wzfab.png

    So you see two ntkernels ond 2 different adresses, is this normal behaviour?

    http://i12.tinypic.com/2ex4x05.png

    What is IME or MSCTFIME, seems with every new process a new hidden IME window is created.
     
    Last edited: Oct 10, 2006
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Do you have a PAE system with more than 4G of memory?

    Have you noticed anything with the input method editor in the past?
    There has been some that use that sort of thing - if it is one of those - it might be similar to this?
    http://www.symantec.com/security_response/writeup.jsp?docid=2006-071212-1723-99&tabid=2

    There is a vulnerability with the korean IME and apparently samsung's site was affected - but there has been a patch out for a while
     
    Last edited: Oct 8, 2006
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    No I have 1 GB Mem.

    But I don´t understand why ntdll read out shows always two ntkrnlpa´s, like in IceSword.

    Maybe it is useful to mention, that I can kill all window titles except the IME´s.
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    The reason I asked, is that I think of ntkrnlpa.exe as the image for x86 systems with more than 4 GB of physical memory (PAE). It is possible, I think, to run PAE with less than 4G if you make the effort to config it.

    I don't know what you are running, but on mine ntkrnlpa.exe is on the disk, however I can't find it running as a system process.
    Mine (xpsp2) is running ntoskrnl.exe for the job -- but I should note that the original WinCD file source which is written into hard drive's ntoskrnl.exe on my system is the multiprocessor version (ntkrnlmp.exe). Are you running 2k or vista? I was wondering if your ntkrnlpa file had been overwritten with a nasty and shouldn't be starting?
    I'm also not sure exactly what the PID 116 that your img relates to is calling itself - the uppermpost image stopped at 114(the PID of ntkrnlpa) plus a sys file. Why would you say it's in ntdll ? It may be that I'm missing something about those images - I haven't used IceSword.
     
    Last edited: Oct 8, 2006
  5. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I actually use winxp pro and vista beta, both systems have this massive hidden window title IME overflood. Strange thing.

    I don´t use address extension, probably a nasty. I have a Dualcore X2 CPU but nothing more.

    Ntkrnlpa.exe is located in sysdirectory.

    Unfortunately on Vista Beta IceSword does not work, insufficient right, even when tried to run as admin.
     
    Last edited: Oct 10, 2006
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    I'm less 'hot' on the idea of an overwritten ntkrnlpa after what you've said.
    I think it's probably there for this: (from the PAE link above)
    PAE mode can be enabled on Windows XP SP2, Windows Server 2003 SP1 and later versions of Windows to support hardware-enforced DEP.
    but an (outside of the system) compare on it wouldn't hurt.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.