chrissmith

Hey sorry guys, that was my friend Winston messing around. I really apologize! I don't know what to say! Stupid jerk! God, I can't believe he did that! Anyways, (from me)... I do hope Piriform will consider changing their EULA so users are notified. Gotta apologize again! Sorry!

Shown below is the trace of Recuva contacting Verisign as captured by Smartsniff. Note that the blue highlighted numbers in the capture are the same as the registry key that gets installed into the computer. Unfortunately, a lot of data is encrypted, so I can't tell what's what. I've been told so far that... "I highly doubt it's as nefarious as you make it but I'll check..." "My theory is with out Proof of concept I find this entire thread to be, no offence, a wild google chase, and that the issue described within is not actually occuring, again no offence meant." "Please provide us with the proofs from your computer and reassure us to the location that you have downloaded the install from. Else I&amp;#39;m going to really start wondering if this is just a rabblerouser who has us chasing our tails." I think I've supplied enough proof, actually, beyond a shadow of a doubt, that Recuva is calling out to Verisign directly after it's first run. Now it's up to the Moderators, and devs to answer. Why is everyone so quite all of a sudden? You weren't so quiet when you doubted me and thought I was just imagining this stuff. How can anyone miss this occurring with this application... especially the Mod's who run this place? All I'm asking is that the EULA be updated to reflect that contact will be made during Recuva's first run. Then it will be up to the user to decide whether or not to use the app. I no longer care about what has already been transmitted as it's too late for the machines I allowed access. Piriform should take responsibility and update their EULA. Trace... ================================================== Index : 8 Protocol : TCP Local Address : 192.168.0.190 Remote Address : 23.67.56.11 Local Port : 1792 Remote Port : 80 Local Host : IBM-A6E15B32522.socal.rr.com Remote Host : a26.ms.akamai.net Service Name : http Packets : 7 {4 ; 3} Data Size : 1,807 Bytes {269 ; 1,538} Total Size : 2,396 Bytes {429 ; 1,967} Data Speed : 0.2 KB/Sec Capture Time : 4/28/2012 6:29:48 PM:316 Last Packet Time : 4/28/2012 6:29:58 PM:330 Duration : 00:00:10.014 Local MAC Address : 00-11-95-3b-85-9f Remote MAC Address: 00-15-e9-ed-af-ca Local IP Country : Remote IP Country : ================================================== 00000000 47 45 54 20 2F 6D 73 64 6F 77 6E 6C 6F 61 64 2F GET /msd ownload/ 00000010 75 70 64 61 74 65 2F 76 33 2F 73 74 61 74 69 63 update/v 3/static 00000020 2F 74 72 75 73 74 65 64 72 2F 65 6E 2F 34 45 42 /trusted r/en/4EB 00000030 36 44 35 37 38 34 39 39 42 31 43 43 46 35 46 35 6D578499 B1CCF5F5 00000040 38 31 45 41 44 35 36 42 45 33 44 39 42 36 37 34 81EAD56B E3D9B674 00000050 34 41 35 45 35 2E 63 72 74 20 48 54 54 50 2F 31 4A5E5.cr t HTTP/1 00000060 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D .1..Acce pt: */*. 00000070 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 63 .User-Ag ent: Mic 00000080 72 6F 73 6F 66 74 2D 43 72 79 70 74 6F 41 50 49 rosoft-C ryptoAPI 00000090 2F 35 2E 31 33 31 2E 32 36 30 30 2E 35 35 31 32 /5.131.2 600.5512 000000A0 0D 0A 48 6F 73 74 3A 20 77 77 77 2E 64 6F 77 6E ..Host: www.down 000000B0 6C 6F 61 64 2E 77 69 6E 64 6F 77 73 75 70 64 61 load.win dowsupda 000000C0 74 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 te.com.. Connecti 000000D0 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A on: Keep -Alive.. 000000E0 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E Cache-Co ntrol: n 000000F0 6F 2D 63 61 63 68 65 0D 0A 50 72 61 67 6D 61 3A o-cache. .Pragma: 00000100 20 6E 6F 2D 63 61 63 68 65 0D 0A 0D 0A no-cach e.... 00000000 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK. 00000010 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 .Content -Type: a 00000020 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 78 35 30 pplicati on/x-x50 00000030 39 2D 63 61 2D 63 65 72 74 0D 0A 4C 61 73 74 2D 9-ca-cer t..Last- 00000040 4D 6F 64 69 66 69 65 64 3A 20 54 75 65 2C 20 30 Modified : Tue, 0 00000050 32 20 4A 61 6E 20 32 30 30 37 20 31 38 3A 35 33 2 Jan 20 07 18:53 00000060 3A 30 39 20 47 4D 54 0D 0A 41 63 63 65 70 74 2D :09 GMT. .Accept- 00000070 52 61 6E 67 65 73 3A 20 62 79 74 65 73 0D 0A 45 Ranges: bytes..E 00000080 54 61 67 3A 20 22 35 34 35 63 32 66 33 66 39 66 Tag: "54 5c2f3f9f 00000090 32 65 63 37 31 3A 30 22 0D 0A 53 65 72 76 65 72 2ec71:0" ..Server 000000A0 3A 20 4D 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F : Micros oft-IIS/ 000000B0 37 2E 35 0D 0A 58 2D 50 6F 77 65 72 65 64 2D 42 7.5..X-P owered-B 000000C0 79 3A 20 41 53 50 2E 4E 45 54 0D 0A 43 6F 6E 74 y: ASP.N ET..Cont 000000D0 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 32 33 39 ent-Leng th: 1239 000000E0 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 32 39 20 ..Date: Sun, 29 000000F0 41 70 72 20 32 30 31 32 20 30 31 3A 32 34 3A 35 Apr 2012 01:24:5 00000100 31 20 47 4D 54 0D 0A 43 6F 6E 6E 65 63 74 69 6F 1 GMT..C onnectio 00000110 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 58 n: keep- alive..X 00000120 2D 43 49 44 3A 20 32 0D 0A 0D 0A 30 82 04 D3 30 -CID: 2. ...0‚.Ó0 00000130 82 03 BB A0 03 02 01 02 02 10 18 DA D1 9E 26 7D ‚.» .... ...ÚÑ?&} 00000140 E8 BB 4A 21 58 CD CC 6B 3B 4A 30 0D 06 09 2A 86 è»J!XÍÌk ;J0...*† 00000150 48 86 F7 0D 01 01 05 05 00 30 81 CA 31 0B 30 09 H†÷..... .0?Ê1.0. 00000160 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 55 ..U....U S1.0...U 00000170 04 0A 13 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E ....Veri Sign, In 00000180 63 2E 31 1F 30 1D 06 03 55 04 0B 13 16 56 65 72 c.1.0... U....Ver 00000190 69 53 69 67 6E 20 54 72 75 73 74 20 4E 65 74 77 iSign Tr ust Netw 000001A0 6F 72 6B 31 3A 30 38 06 03 55 04 0B 13 31 28 63 ork1:08. .U...1(c 000001B0 29 20 32 30 30 36 20 56 65 72 69 53 69 67 6E 2C ) 2006 V eriSign, 000001C0 20 49 6E 63 2E 20 2D 20 46 6F 72 20 61 75 74 68 Inc. - For auth 000001D0 6F 72 69 7A 65 64 20 75 73 65 20 6F 6E 6C 79 31 orized u se only1 000001E0 45 30 43 06 03 55 04 03 13 3C 56 65 72 69 53 69 E0C..U.. .<VeriSi 000001F0 67 6E 20 43 6C 61 73 73 20 33 20 50 75 62 6C 69 gn Class 3 Publi 00000200 63 20 50 72 69 6D 61 72 79 20 43 65 72 74 69 66 c Primar y Certif 00000210 69 63 61 74 69 6F 6E 20 41 75 74 68 6F 72 69 74 ication Authorit 00000220 79 20 2D 20 47 35 30 1E 17 0D 30 36 31 31 30 38 y - G50. ..061108 00000230 30 30 30 30 30 30 5A 17 0D 33 36 30 37 31 36 32 000000Z. .3607162 00000240 33 35 39 35 39 5A 30 81 CA 31 0B 30 09 06 03 55 35959Z0? Ê1.0...U 00000250 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0A 13 ....US1. 0...U... 00000260 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 .VeriSig n, Inc.1 00000270 1F 30 1D 06 03 55 04 0B 13 16 56 65 72 69 53 69 .0...U.. ..VeriSi 00000280 67 6E 20 54 72 75 73 74 20 4E 65 74 77 6F 72 6B gn Trust Network 00000290 31 3A 30 38 06 03 55 04 0B 13 31 28 63 29 20 32 1:08..U. ..1© 2 000002A0 30 30 36 20 56 65 72 69 53 69 67 6E 2C 20 49 6E 006 Veri Sign, In 000002B0 63 2E 20 2D 20 46 6F 72 20 61 75 74 68 6F 72 69 c. - For authori 000002C0 7A 65 64 20 75 73 65 20 6F 6E 6C 79 31 45 30 43 zed use only1E0C 000002D0 06 03 55 04 03 13 3C 56 65 72 69 53 69 67 6E 20 ..U...<V eriSign 000002E0 43 6C 61 73 73 20 33 20 50 75 62 6C 69 63 20 50 Class 3 Public P 000002F0 72 69 6D 61 72 79 20 43 65 72 74 69 66 69 63 61 rimary C ertifica 00000300 74 69 6F 6E 20 41 75 74 68 6F 72 69 74 79 20 2D tion Aut hority - 00000310 20 47 35 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 G50‚."0 ...*†H†÷ 00000320 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 .......‚ ...0‚... 00000330 82 01 01 00 AF 24 08 08 29 7A 35 9E 60 0C AA E7 ‚...¯$.. )z5?`.ªç 00000340 4B 3B 4E DC 7C BC 3C 45 1C BB 2B E0 FE 29 02 F9 K;NÜ|¼<E .»+àþ).ù 00000350 57 08 A3 64 85 15 27 F5 F1 AD C8 31 89 5D 22 E8 W.£d….'õ ñ­È1‰]"è 00000360 2A AA A6 42 B3 8F F8 B9 55 B7 B1 B7 4B B3 FE 8F *ª¦B³?ø¹ U·±·K³þ? 00000370 7E 07 57 EC EF 43 DB 66 62 15 61 CF 60 0D A4 D8 ~.WìïCÛf b.aÏ`.¤Ø 00000380 DE F8 E0 C3 62 08 3D 54 13 EB 49 CA 59 54 85 26 ÞøàÃb.=T .ëIÊYT…& 00000390 E5 2B 8F 1B 9F EB F5 A1 91 C2 33 49 D8 43 63 6A å+?.Ÿëõ¡ ‘Â3IØCcj 000003A0 52 4B D2 8F E8 70 51 4D D1 89 69 7B C7 70 F6 B3 RKÒ?èpQM щi{Çpö³ 000003B0 DC 12 74 DB 7B 5D 4B 56 D3 96 BF 15 77 A1 B0 F4 Ü.tÛ{]KV Ó–¿.w¡°ô 000003C0 A2 25 F2 AF 1C 92 67 18 E5 F4 06 04 EF 90 B9 E4 ¢%ò¯.’g. åô..ï?¹ä 000003D0 00 E4 DD 3A B5 19 FF 02 BA F4 3C EE E0 8B EB 37 .äÝ:µ.ÿ. ºô<îà‹ë7 000003E0 8B EC F4 D7 AC F2 F6 F0 3D AF DD 75 91 33 19 1D ‹ìô׬òöð =¯Ýu‘3.. 000003F0 1C 40 CB 74 24 19 21 93 D9 14 FE AC 2A 52 C7 8F .@Ët$.!“ Ù.þ¬*RÇ? 00000400 D5 04 49 E4 8D 63 47 88 3C 69 83 CB FE 47 BD 2B Õ.Iä?cGˆ <iƒËþG½+ 00000410 7E 4F C5 95 AE 0E 9D D4 D1 43 C0 67 73 E3 14 08 ~OÅ•®.?Ô ÑCÀgsã.. 00000420 7E E5 3F 9F 73 B8 33 0A CF 5D 3F 34 87 96 8A EE ~å?Ÿs¸3. Ï]?4‡–Šî 00000430 53 E8 25 15 02 03 01 00 01 A3 81 B2 30 81 AF 30 Sè%..... .£?²0?¯0 00000440 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 01 01 FF ...U.... ÿ..0...ÿ 00000450 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 0...U... .ÿ...... 00000460 30 6D 06 08 2B 06 01 05 05 07 01 0C 04 61 30 5F 0m..+... .....a0_ 00000470 A1 5D A0 5B 30 59 30 57 30 55 16 09 69 6D 61 67 ¡] [0Y0W 0U..imag 00000480 65 2F 67 69 66 30 21 30 1F 30 07 06 05 2B 0E 03 e/gif0!0 .0...+.. 00000490 02 1A 04 14 8F E5 D3 1A 86 AC 8D 8E 6B C3 CF 80 ....?åÓ. †¬??kÃÏ€ 000004A0 6A D4 48 18 2C 7B 19 2E 30 25 16 23 68 74 74 70 jÔH.,{.. 0%.#http 000004B0 3A 2F 2F 6C 6F 67 6F 2E 76 65 72 69 73 69 67 6E ://logo. verisign 000004C0 2E 63 6F 6D 2F 76 73 6C 6F 67 6F 2E 67 69 66 30 .com/vsl ogo.gif0 000004D0 1D 06 03 55 1D 0E 04 16 04 14 7F D3 65 A7 C2 DD ...U.... ..Óe§ÂÝ 000004E0 EC BB F0 30 09 F3 43 39 FA 02 AF 33 31 33 30 0D ì»ð0.óC9 ú.¯3130. 000004F0 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 ..*†H†÷. ......‚. 00000500 01 00 93 24 4A 30 5F 62 CF D8 1A 98 2F 3D EA DC ..“$J0_b ÏØ.˜/=êÜ 00000510 99 2D BD 77 F6 A5 79 22 38 EC C4 A7 A0 78 12 AD ™-½wö¥y" 8ìħ x.­ 00000520 62 0E 45 70 64 C5 E7 97 66 2D 98 09 7E 5F AF D6 b.EpdÅç— f-˜.~_¯Ö 00000530 CC 28 65 F2 01 AA 08 1A 47 DE F9 F9 7C 92 5A 08 Ì(eò.ª.. GÞùù|’Z. 00000540 69 20 0D D9 3E 6D 6E 3C 0D 6E D8 E6 06 91 40 18 i .Ù>mn< .nØæ.‘@. 00000550 B9 F8 C1 ED DF DB 41 AA E0 96 20 C9 CD 64 15 38 ¹øÁíßÛAª à– ÉÍd.8 00000560 81 C9 94 EE A2 84 29 0B 13 6F 8E DB 0C DD 25 02 ?ɔ). .o?Û.Ý%. 00000570 DB A4 8B 19 44 D2 41 7A 05 69 4A 58 4F 60 CA 7E Û¤‹.DÒAz .iJXO`Ê~ 00000580 82 6A 0B 02 AA 25 17 39 B5 DB 7F E7 84 65 2A 95 ‚j..ª%.9 µÛç„e*• 00000590 8A BD 86 DE 5E 81 16 83 2D 10 CC DE FD A8 82 2A Š½†Þ^?.ƒ -.ÌÞý¨‚* 000005A0 6D 28 1F 0D 0B C4 E5 E7 1A 26 19 E1 F4 11 6F 10 m(...Äåç .&.áô.o. 000005B0 B5 95 FC E7 42 05 32 DB CE 9D 51 5E 28 B6 9E 85 µ•üçB.2Û Î?Q^(¶?… 000005C0 D3 5B EF A5 7D 45 40 72 8E B7 0E 6B 0E 06 FB 33 Ó[ï¥}E@r ?·.k..û3 000005D0 35 48 71 B8 9D 27 8B C4 65 5F 0D 86 76 9C 44 7A 5Hq¸?'‹Ä e_.†vœDz 000005E0 F6 95 5C F6 5D 32 08 33 A4 54 B6 18 3F 68 5C F2 ö•\ö]2.3 ¤T¶.?h\ò 000005F0 42 4A 85 38 54 83 5F D1 E8 2C F2 AC 11 D6 A8 ED BJ…8Tƒ_Ñ è,ò¬.Ö¨í 00000600 63 6A cj

Hi Alan, Not to worry about your popularity! I hold nothing against you. In fact it's good that you pose your questions because it gives rise to discussion. The reason I started investigating Recuva in the first place is because I noticed it took a very long time to launch (16 seconds, nominal) on some machines. I really hadn't noticed it on other computers because I allowed the program to initially update during the install. It was only when I didn't allow an update to happen that I noticed the program taking a long time to launch. This is when I felt something was going on. It threw me for quite a while because viewing the registry entries Recuva installs into the registry appeared to be the same on all the computers regardless if they were updated or not. The only difference being the update date. This is when I came to the forum and started this thread. There is no doubt in my mind that Recuva is contacting an undisclosed party. It can be proven just by messing with the authorizing registry key. The difference is that Speccy doesn't act like Recuva. If I open Speccy, it will launch and start running right away regardless if I block it with my firewall. It doesn't require contact before it starts working and it doesn't stall. If Speccy did stall out, I would investigate it too... but it doesn't, so I'm not concerned. I don't use Speccy anyways. This is really a privacy issue. You may not realize it and it may not seem like a big deal to you, but you should nonetheless be concerned. Suppose you were to open your email client and start reading your email. Your email client, without your knowledge, notifies me that you just opened your email. In fact, not only did it notify me, it opened a window for me so I could view what you were reading. Would that give you something to worry about? In this example, it's not so much that I'm able to see what you're doing, but the fact that you didn't even know your email client was doing this behind your back. This is the premise behind what privacy issues are all about and why software companies continue to take so much flak. Piriform knows this too, that's why they post a "Privacy Policy". However their policy lacks sorely and gives a false impression. So going by your suggestion, that I install Speccy first, then Recuva. What's the difference? Even if I do this, and Recuva works because Speccy made contact and installed a registry entry for me, didn't Speccy just contact Verisign without my knowledge too? This is also not a Microsoft thing. Windows doesn't even care if a cert is valid or not. Windows might notify you, but that's about it. If you look on your machine, you'll find numerous expired/outdated/unverified certs. In fact, on occasion, if Windows notices an invalid cert and takes the time to warn you, say when you try to install a downloaded program from the internet, all you have to do is disregard it and you can continue on with the installation. Windows doesn't even care, and it won't hinder a thing. Anyways, no, I'm not going to bother with doing an experiment with Speccy and Recuva. The outcome would be the same so it's really irrelevant. Do you use a firewall? If not and you're depending on Windows firewall, I suggest you change to a better one. One that will notify you when any program attempts internet access. Windows firewall will not do this. Thank, Alan!

Were you able to test if the Recuva key works? I don't have a Speccy key. I haven't investigated it because it works without having to go to the internet... unlike Recuva, which is "broken" until it does.

"Just wondering, would u be able to attach the registry file to your post? I would love to download it for testing Recuva on my machine here." I would, however, I believe the key is "machine specific". As I mentioned, it's not on my desktop computer although Recuva is. Possibly a different key is present for my desktop. I don't know if I'm allowed to post a registry key here so I've attached it as a .txt file. You'll have to change it to .reg if you plan to use it. It's just a cert so it shouldn't harm your computer... but I can't guarantee that! Use at your own risk. "Edit: Do you know if Speccy, Defraggler, or CCleaner exhibit the same behavior? Asking because you already have ZA installed, so easier to test." I haven't tested CCleaner, or Defraggler, but Speccy does ask for internet access. It'll still run even with access blocked, though. recuva verisign key.txt

Ok, in light of what Super Fast had mentioned, I decided to go further and take a chance that System Restore might save me later. If it couldn't, I would have to reload Windows to undo the damage that Recuva had made to the registry when I granted internet access. This is what I did.... 1) I shut down ZA, leaving the Internet active 2) Took a shot of the Registry using Regshot .... monitoring C:\Document and Settings 3) I then launched Recuva... it launched quite readily. I didn't run Cports, and since ZA was disabled I couldn't see any alerts 4) I then took another shot with Regshot and compared the difference The only difference is that a root certificate change had been installed into HKLM\Software\Microsoft\SystemCertificaties by the name of 4EB6D5....XXX. The cert is a Verisign certificate. I then... 1) Restarted ZA 2) Launched Recuva... and it started readily with no delays and no more access attempts through ZA 3) I then went into the Registry and exported, then deleted the new key. The effect of deleting the key caused Recuva to revert back to how it was acting prior to granting internet access. Cports and ZA both reported Recuva attempting to access the internet and Recuva launched slowly as it did before. I then... 1) Did a System Restore Upon completion of System Restore, I launched Recuva and it again asked for internet access through Cports and ZA. I denied it in ZA and again it took about 16 seconds for it to open. At this point, I merged the registry key I had previously exported into the registry and upon launching Recuva again, Cports and ZA no longer alerted that Recuva was attempting access and Recuva launched very quickly. This tells me that this is not a ZA problem. It also tells me that indeed, Recuva is attempting to contact Verisign during first launch. This is an "undisclosed" contact being made. As it stands now, with the imported registry key, Recuva launches as expected and does not attempt internet access. If I delete the key, Recuva reverts back to how it acted previously. There are several considerations regarding this key. For one, the key by it's name does not exist on my Desktop computer, hence, it may be "machine" or "installation" specific. It certainly is not a generic cert key. So the question remains. Why is this contact not disclosed to Recuva users? What information is being sent? And, why does Recuva even have to do this when it can operate just as it is without the cert? I realize its just a cert, but what "other" information is/may be sent since it seems to be machine specific? So much fun! Good thing I'm retired! EDIT::: The registry key appears to be "machine" specific. I swapped out the 250gig HD and installed the 80gig HD and the same key exist in the registry of the 80gig HD (differnt user name too). Deleting the key caused Recuva to do the same thing and revert back to attempting internet access. Reimporting it, fixes Recuva.

Yah, it's going to be a tricky process. I'm not sure how to approach it yet... but I'm thinking. I really don't know if Recuva actually detects a connection... it just appears to me that it does. "Am wondering about checking with a new user account + Zone Alarm sometime to see if I can reproduce this behavior, & if not, perhaps a clean install + ZA" I would hate for you to have to do a clean install on a machine just to mess with this... I think Nergal is already doing that. But if you want to join in, feel welcome. You know, troubleshooting this kind of thing would be so much easier if a dev just popped his head in here and gave us the story! I have never minded being wrong about something. I don't even mind being told!

Hi Super Fast, "* Do you suppose that Zone Alarm may cause Recuva to stop responding properly till you allow access? I am not sure, just trying to think of ideas. I currently don't have ZA installed, so I cannot test that theory." That's a good question and one I cannot definitively answer without testing. However, I would have to disable ZA in order to do that. If I do, then I cannot block Recuva from accessing the internet. If I don't block it, and it calls out, I won't know it did.. However, if it's true that ZA is actually hindering Recuva, then why wouldn't it hinder it all the time? What I mean is this... I have ZA setup to "alert" me when programs attempt internet access so I can choose to deny access or not. On some of the machines, I actually allowed Recuva to run without blocking it. Once Recuva did it's thing, further access attempts were never made, Recuva launched quickly, and I never got an alert from ZA again. Also, even when I set up ZA to totally block Recuva (after it made contact), Recuva still never delays to launch. On machines where I denied Recuva access, the program always delays and both Cports and ZA report access attempts. Cports is simply a monitor (you don't even need to grant it internet access for it to work), and ZA isn't capable of controlling whether or not an application can be launched by a user, hence, either one of these shouldn't hinder Recuva from opening... they're just notifying me that Recuva wants internet access. Beyond that, if the option for updates is disabled, why would Recuva need access? I really don't know, but if it really is a ZA problem, I wouldn't be surprised. ZA has a reputation of doing this kind of thing and making people like me go on wild goose (google) chases... and dragging moderators along in the process! However, I have seriously never seen ZA cause this kind of problem on any computer I've worked on. It has never "broken" a program for me, ever. I run a ton of programs and this is the very first time I've ever seen this happen with an application... it doesn't lead me to suspect it's a ZA problem... but you never know. Thanks for that Super Fast! I will certainly investigate this with an open mind!

"I notice that the "connect to internet" that your firewall sees is only a DNS request (at least according to" I run my router connection in the "internet" zone. I'm not exactly sure what it's reporting and I'm not a router expert by any means. But good question... I'll probably look into it later. "Can you tell me what to set my ZA settings to so I match you (I assume this is ZA Free we're dealing with)" I run ZA ver 5.xxx. Pro version. Its a very old ZA as you can tell by the version number, and the settings won't match the newer versions. I have the firewall set on high for both internet and trusted, and program control is on medium, if that helps, but how those setting will affect the new ZA and how you manage your programs, I don't know. Before this T42 laptop leaves me, I do plan to install the newest free ZA for my friends daughter. I just don't want to do it now while I'm investigating this issue and I certainly don't want to install it on the 250gig drive. "I'm going to be looking at the packets created, if any, via Smartsniff (from the same people as currports and tcpview)" Thanks, I'm aware of Smartsniff and have used it. I may have used it when I traced Recuva to Verisign originally, but I can't remember now. I did have a screen capture of the trace long ago, but deleted it. I regret that now. "EDIT: Zone Alarm Locked me out of My Virtual PC restoring previous version. . . sooooo slow" This is why I use the old ZA! It does only what I need it to! So, I gotta ask... do you still think I might be imagining what I'm seeing? Of course that doesn't apply to the contact issue... but just to the way Recuva is acting. I can't imagine why no one else is noticing this. The only answer I can come up with is that typical installations of "trusted" programs are simply allowed to go where they want to go without being monitored. Perhaps I'm just over paranoid, so I don't allow any program out to the internet unless I absolutely think it has to go. Anyways, dig away! I hope you can reproduce this on your machine so we can at least have a consensus.

I decided to continue in a separate post... Quote from Nergal, "My theory is with out Proof of concept I find this entire thread to be, no offence, a wild google chase, and that the issue described within is not actually occuring, again no offence meant." If you watch the video in the post above, you might realize that what I'm seeing is definitely "occurring". Not only is it real, but it has developed into a somewhat more interesting puzzle! I like puzzles! I did more experimenting and found that Recuva's code must be written to "detect" an Internet/Network presence (we'll call it I/N). If there is an I/N presence, then Recuva will attempt to connect to the internet when it's first launched. If there is no I/N presence, then Recuva will not attempt to access the internet when it's first launched. This is very interesting! Make's me want to play with it some more! We'll probably get into packet sniffing to actually try to pull the data being transmitted! I might try to contact GRC (Steve Gibson) for advice about how to go about sniffing/viewing packets if I can't figure it out myself. I've never done it. Should be fun! I suspect that Recuva's code is written to call Verisign at first launch for whatever reason. If it succeeds, then it will work as it should hence forth. If it doesn't succeed, it will stall until such time that it does succeed. If there is no I/N presence, it won't even attempt to call out, and it will also launch without delay. I am currently uploading another video to Vimeo. The video should suggest to anyone watching it that Recuva is indeed detecting an I/N presence. Again, the capture was done using Camstudio, 50 frames per/sec, uncut/unedited. What you will see is this... 1) I will first launch Recuva with an I/N presence. You will note the delay in it launching, and the attempt to connect as reported by Cports and ZA. 2) I will then disconnect from the I/N, then launch Recuva again... twice. You'll see Recuva not even attempt to call out. Cports and ZA will not show any alerts. 3) I will then reconnect to the I/N, launch Recuva, and it will again attempt to call out and delay opening. Cports and ZA will report accordingly. The clock is present for time reference. If this doesn't convince you that something is happening then I don't know what will. Trust me, I'm not a "rabblerouser". I've been into computers since machine language... their my babies! There is no reason Recuva should need to access the internet other than to "actually" check for updates. What it's doing on first launch doesn't really need to be done in my opinion. I doubt very much it's a certificate verification requirement thingy... Recuva will work just fine without having to do that! Here' a Link to the video... password chrissmith

Installed a copy of Recuva onto an Windows XP computer thatv had never had the program installed De-Selected Check for updates in the installer Ran Currports (as the Original poster did) Ran Recuva (non-wizard Mode) No call Home Quit Recuva Blocked Recuva From Internet Access via My Firewall Opened recuva, no issue Nergal, Thanks for your work. Are these the exact steps you ran your test in. Why didn't you block Recuva with your Firewall before launching it the first time? If I understand this correctly, you never got a prompt from your firewall that Recuva was attempting access at any time while on XP, and Cports never listed Recuva? What firewall? This may very well be a wild goose chase (or google chase, as you say), but let me tell you, this goose has run around on 5 computers in California, 3 in Las Vegas, and 2 in Hawaii. It's a very fast goose! And, just so you know, I take no offense. I want to solve this as much as anyone. The OS for the T42 I'm trying to set up for my friends daughter was installed on a DBan'd 80gig HD... in other words, the hard drive was wiped and reformatted. Windows XP SP2 was then installed using the IBM T42 Recovery CDs, then the OS was upgraded to SP3. At some point, I installed Recuva, and experienced the lovely goose chase this application always seems to run through only for me. So loving the application, I allowed it internet access through the firewall, but didn't bother to monitor it. After Recuva did it's internet thing, it then ran as expected and launched very fast. Unfortunately, I cannot undo what Recuva has done to this hard drive since even an uninstall/reinstall or Recuva does nothing to bring the system back to original. Note that I do not run System Restore while setting up computers (just a policy of mine), so a restore is out of the question and may or may not do anything anyways. However, the original T42 250gig hard drive has never had Recuva installed on it. I swapped the drives out, installed Recuva, and the goose showed up just as expected. He must have love for only me! This is what I'll do on the 250gig HD... although it'll take some time to process, upload videos, data, and photos as necessary. 1) take a video of Recuva prior to internet access... with Cports, ZA running. ZA will be set to block Recuva from the get-go. 2) take a video of Recuva while allowing access... with Cports, ZA running. I will allow ZA to pass Recuva and let the goose fly home. ;-) 3) take a video of Recuva launching as a comparison of before/after internet contact. Note that in all cases, update checks will be disabled in Recuva. Before I run the above, I'm going to take the time to make an Acronis image of the C: partition on the 250gig drive so I can undo Recuva's changes. This whole effort may take me a while to do and I probably won't start tonight (but maybe I will). In any case, if anyone has any request before I run through the Recuva test, you better let me know soon. I don't want to have to run through it again. EDIT::: I decided to upload video #1 (see above) to Vimeo. I also decided to let ZA alert rather than block Recuva from the get-go. The video was captured using Camstudio 2.6 set to 50 frames per/sec and is uncut/unedited. While the video may show Recuva appearing to launch in a few seconds, the actual real time launch is approximately 16 seconds. This is all I'm going to do tonight. Link ... password is chrissmith EDIT::: Almost forgot the reg file... Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Piriform\Recuva] "Language"="1033" "RestoreFolders"=dword:00000000 "ShowHiddenFiles"=dword:00000000 "ShowZeroLengthFiles"=dword:00000000 "ViewMode"=dword:00000000 "ShowSecurelyDeletedFiles"=dword:00000000 "DeepScan"=dword:00000000 "Passes"=dword:00000001 "ShowWizard"=dword:00000000 "ShowExistentFiles"=dword:00000000 "UpdateCheck"="0" "window_left"=dword:000000c4 "window_top"=dword:00000076 "window_width"=dword:00000272 "window_height"=dword:000001f0 "window_max"=dword:00000001 "UpdateKey"="20120404"

Alan, Thanks for all your hard work! I found out (see post #6) that if you run a portable Recuva on a computer that already has Recuva installed on it, and, the installed Recuva has already contacted Verisign, then the portable Recuva will not attempt to contact Verisign. If the installed Recuva has not yet contacted Verisign, and you attempt to run a portable, then the portable will attempt to contact Verisign. Did the computer you did your test on already have Recuva installed on it? Had the installed Recuva already contacted Verisign?

Alan_B I'm not really worried about the fact that Recuva contacts Verisign or the possible information that is being collected. They know all about me already. It's the fact that it's "undisclosed" contact and lack of information of what is being collected that's troublesome. I don't suspect Piriform of spying, per se, but the way Recuva goes about it's business, anyone who deals with spyware (and I do) will surely think this is "unusual" behavior simply because it's not stated anywhere. Anyone who has been on the internet for any amount of time has surely been exposed to the privacy issues surrounding the many software companies, websites, and places like Facebook. Privacy is a serious issue that should concern everyone. As I mentioned in post #17... "All Piriform needs to do is disclose what information may be collected (EULA), and then let people decide for themselves if they want to use the program and allow that collection." What's so difficult about this? I can't imagine. Anyways Alan, I don't expect anything to come of this thread. It'll probably just fade away... and that's really too bad. It's already been almost a month, 3 moderators have visited, and not a single dev? You would think moderators have no contact with them. Thanks for participating. Moderators can close this thread if they wish. I'll do my own independent analysis of what's really going on. Perhaps nothing!

hazelnut, Being a moderator yourself, I'm sure you're able to contact the devs. Well, maybe not. However, since they don't visit too often and only sometimes comment, I'll try to keep the topic on top of the forum so they can see it.

Alan_B You are either missing the entire issue or you can't understand it. Why do you believe in any way that financial transactions dealing with Verisign has anything to do with what the real issue is? Why even suggest I complain to Symantec? Do you even realize how silly that sounds? Whether it be Verisign, Google, Timbuctoo, or Venus ... it doesn't matter who Recuva is calling. The issue is Recuva is calling out to an "undisclosed" entity without notification to it's users. Beyond that, if contact fails, not only is the program's operation hindered, but the error that is displayed to the user is a "Check for Updates" error, even when the update option is disabled. The mere fact that the displayed error is obviously a deception when Recuva cannot contact Verisign does not bode well with me. In the future, try to keep the real issue in mind.