Double ntkrnlpa.exe, strange windows, unknown device

Take a look on following screens, I made several, that I don´t need to create another thread. Strange things, maybe a bit paranoid, but I want to see your opinions.

http://i12.tinypic.com/47wzfab.png

So you see two ntkernels ond 2 different adresses, is this normal behaviour?

http://i12.tinypic.com/2ex4x05.png

What is IME or MSCTFIME, seems with every new process a new hidden IME window is created.

 

Do you have a PAE system with more than 4G of memory?

Have you noticed anything with the input method editor in the past?
There has been some that use that sort of thing - if it is one of those - it might be similar to this?
http://www.symantec.com/security_response/writeup.jsp?docid=2006-071212-1723-99&tabid=2

There is a vulnerability with the korean IME and apparently samsung's site was affected - but there has been a patch out for a while

 

No I have 1 GB Mem.

But I don´t understand why ntdll read out shows always two ntkrnlpa´s, like in IceSword.

Maybe it is useful to mention, that I can kill all window titles except the IME´s.

 

The reason I asked, is that I think of ntkrnlpa.exe as the image for x86 systems with more than 4 GB of physical memory (PAE). It is possible, I think, to run PAE with less than 4G if you make the effort to config it.

I don't know what you are running, but on mine ntkrnlpa.exe is on the disk, however I can't find it running as a system process.
Mine (xpsp2) is running ntoskrnl.exe for the job -- but I should note that the original WinCD file source which is written into hard drive's ntoskrnl.exe on my system is the multiprocessor version (ntkrnlmp.exe). Are you running 2k or vista? I was wondering if your ntkrnlpa file had been overwritten with a nasty and shouldn't be starting?
I'm also not sure exactly what the PID 116 that your img relates to is calling itself - the uppermpost image stopped at 114(the PID of ntkrnlpa) plus a sys file. Why would you say it's in ntdll ? It may be that I'm missing something about those images - I haven't used IceSword.

 

I notice that you have an AMD and might have hardware-enforced DEP as a result.
Here's a PAE link http://www.microsoft.com/whdc/system/platform/server/PAE/pae_os.mspx
You might have a look to see if the boot.ini file enables it as per http://technet2.microsoft.com/windowsserver/en/library/7706CAAE-8FC9-45B2-9D8D-7B5A6B7256491033.mspx
This isn't a file to mess with lightly.

 

I actually use winxp pro and vista beta, both systems have this massive hidden window title IME overflood. Strange thing.

I don´t use address extension, probably a nasty. I have a Dualcore X2 CPU but nothing more.

Ntkrnlpa.exe is located in sysdirectory.

Unfortunately on Vista Beta IceSword does not work, insufficient right, even when tried to run as admin.

 

I'm less 'hot' on the idea of an overwritten ntkrnlpa after what you've said.
I think it's probably there for this: (from the PAE link above)
PAE mode can be enabled on Windows XP SP2, Windows Server 2003 SP1 and later versions of Windows to support hardware-enforced DEP.
but an (outside of the system) compare on it wouldn't hurt.