This is likely a false positive since it only shows up in psscan - psscan is like a carver for processes so sometimes it gives a false positive.<br><br>Michael.<br><br><div class="gmail_quote">On 5 March 2013 19:29, Ayers, Robert <span dir="ltr">&lt;<a href="mailto:roayers@pa.gov" target="_blank">roayers@pa.gov</a>&gt;</span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="#0563C1" vlink="#954F72" lang="EN-US"><div><p class="MsoNormal">Anyone ever seen anything like this? It came out of a  WinXPSP3x86 ram capture.<u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">PCSXView results;<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd<u></u><u></u></p>

<p class="MsoNormal">---------- -------------------- ------ ------ ------ -------- ------ ----- ------- --------<u></u><u></u></p><p class="MsoNormal">0x0a074da0 X???E?P??(O&#39;?     23...6 False  True   False    False  False False   False   <u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">PSSCan results;<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Offset(P)  Name                PID   PPID PDB        Time created                   Time exited                   <u></u><u></u></p>

<p class="MsoNormal">---------- ---------------- ------ ------ ---------- ------------------------------ ------------------------------<u></u><u></u></p><p class="MsoNormal">0x0a074da0 X???E?P??(O&#39;? 23...6 23...4 0x8a274dc0                                                              <u></u><u></u></p>

<p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks,<u></u><u></u></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;;color:#17365d">Robert Ayers, </span></b><span style><u></u><u></u></span></p>

<p class="MsoNormal"><u></u> <u></u></p></div></div><br>_______________________________________________<br>
Vol-users mailing list<br>
<a href="mailto:Vol-users@volatilityfoundation.org">Vol-users@volatilesystems.com</a><br>
<a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users" target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-users</a><br>
<br></blockquote></div><br>