Bottom line first: I'm pretty sure that the number in ( ) is PID, therefore nshield was not always reporting the application correctly. Remember my first log with a real trojan? Opera did show up there, so it's not always TClockEx.
TClockEx is not calling Windows Time Service. Using DDE it collects time value from some SystemTime variable using its hook to a windows process, I suppose. If it did call the service, I'd see WindowsTime going out in the firewall log, since it's one of few allowed connections I log.
Today, using Autoruns,
I disabled TClockEx from startup and rebooted. Then I ran the same old link three times. In all cases Opera was identified in the log and it matches PID.
Note anotations in my screenies. I promise I won't post any more of those unless somebody asks for more
As I described, Process Explorer is behind the Opera window - I start PE before starting Opera, so the
clock values apply.
Time stamp in these last screen shots is the crummy windows display since TClockEx not running. See bottom right corner in these as well as yesterday's shots. So to answer your question that there's no timestamp on PE - well there is, always there, in the right corner.
I wish I didn't hijack this thread, ouch
Could we split it out since it's about nshield?
Thank you for your patience, and whom do you think we should ask to explain?