Anyone know what this is? A friend of mine told me about a windows cleaning prgrams (cleans junks and dupes) and when I was going to install it I got a pop up from my Firewall asking if I will allow this program to access the internet. This sounds really fishing to me. The program I was trying to install is CMDisk Cleaner. I found it at webattack.com

-{ Quote: " quoting: notageek link=board=22;threadid=9848;start=0#msg64273 date=1054591914]... A friend of mine told me about a windows cleaning prgrams (cleans junks and dupes) and when I was going to install it I got a pop up from my Firewall asking if I will allow this program to access the internet. " }-

Hi notageek,

Can you explain this statement a little more? ("...when I was going to install it...") Had you actually run the install, and had it finished yet, or was it near the finish? Since CM DiskCleaner seems to have an automatic update feature, (see their home page: here (http://www.cmdiskcleaner.com/)), this could simply have been the first update attempt.

Can you also check the Properties... on the file to see what all is contained in the Version tab? If it is clearly part of the CM DiskCleaner product, then that might explain it.

I'm assuming you've scanned the file with all your AV/AT tools, correct?

Another trick for figuring out what it's doing is - in your firewall give the program access to just your DNS servers, but block other Internet addresses, then run it again and see where it's trying to go to (by the blocked destination address connections in your firewall log).

Hi LWM, the file was scanned with AV. Now When I clicked on the file to install it beofre it even came up with the normal "you're about to install so and so program" the file tried to access the internet. The file wasn't even installed yet. But trying it again I found that I mis spelled the name I't SUF60RUNTIME. I read that they have an auto updater on their web site before I even posted and ruled that out cuz the program never installed.

I checked the properties and didn't see a file called SUF60RUNTIME at all. But here's the company this program comes from: Indigo Rose Corporation http://www.indigorose.com

I'm going to look around about this company and see what I can dig up. It's still odd that a program wants to access the internet before it even shows an install window.

I'm still wondering where the program name "SUF60RUNTIME" comes from. The install kit for CM DiskCleaner is "CMDiskCleaner.exe", and it's a 5.7MB installation kit. (That is the file you are double clicking to install the app, right?)

I don't understand how "SUF60RUNTIME" fits in at all. (Though I guess you don't either, which is why you are asking the question.) So, you can't find any file on your system name SUF60RUNTIME - anywhere?

Too bad this person (http://groups.google.com/groups?q=SUF60RUNTIME&hl=en&lr=&ie=UTF-8&oe=utf-8&selm=3e9f04c0%240%2426348%24626a54ce%40news.free.fr&rnum=1) didn't state what program he was trying to install.
Do you have a program that can provide you with a list of all your startupentries (including the RunOnce key)?
If you don't, try AutoStartViewer (http://www.diamondcs.com.au/index.php?page=asguard)

Regards,

Pieter

Okay, I decided to throw caution to the wind and tried downloading and installing the program myself... :D SUF60Runtime is definitely one of the first programs extracted and run from the CM DiskCleaner installation kit.

Once you double click on CMDiskCleaner.exe, it extracts a few modules to your \Temp\ folder, one of which is a file named irsetup.exe (which has the internal program description/name: SUF60Runtime).

See the mess of an image below for additional information. :o

irsetup.exe (aka. SUF60Runtime) immediately attempts to access DNS. But, it appears DNS is all it's trying to access. It does not try to connect anywhere after you give it access to DNS. It may simply be trying to find information about your system (perhaps even just its name). After DNS, it attempts to access NetBIOS - this may also be to simply find out information about your system (again, maybe its name). None of this appears to be an attempt to connect to any other system.

I stopped the install after these first few items as I did not wish to actually install this application. But, from what I can tell it is not malicious.

>> Too bad this person didn't state what program he was trying to install...

Yes, that person is describing exactly this functionality.

Looking just at the properties description of the kit itself and irsetup.exe, I'm wondering if this is just the functionality of a generic "installer". The makers of CM DiskCleaner may not be using their own installer, but rather one they purchased or licensed from someone else, which has this standard installation process.

As I said, I don't think there is anything malicious here. If you want to use CM DiskCleaner, you'll need to let it's installer run. I believe it'll install just fine without giving Internet access, given what it appears to be using it for.

Oh, and if you open the .ini & .dat files in the \temp\ folder, you'll see a lot more installation information.

Thanks Pieter and LWM.

Pieter, I ran ASviewer and seen nothing there that wasn't there before I tried to install this program. What I do is when I run ASviewer I take a screenie of it and compare when I run it it again. ;D

LWM, thanks for the help. I think I'm not going to install this program and just clean the dupes and temp file the old fasion way. Who knows maybe the program itself might even call out after a full install. ;)

-{ Quote: " quoting: notageek link=board=22;threadid=9848;start=0#msg64341 date=1054646611]
Pieter, I ran ASviewer and seen nothing there that wasn't there before I tried to install this program. What I do is when I run ASviewer I take a screenie of it and compare when I run it it again. ;D
" }-

Good thinking.

Generic installer possibility confirmed. I have reformatted and reinstalled Win2K today. I always install ZoneAlarm firewall imm after internet connection established. I installed several utilities and one of them activated SUF60runtime. Zonealarm caught it also.

Perhaps this is a Win component that the installers "call".

I'm going to email the maker and find out what it is and why it need access to the internet. I'll post back if I get a reply.

This is what the Maker or a tech person from the company that makes CMDisk Cleaner replied back to me in an email. Now keep in mind I asked what Suf60runtime is and why does it need access to the internet this is what he replied.
It seems that there is something wrong with yoiur install file.

The file should be

4.31 MB (4,526,549 bytes)

I Tested the file yesterday and it worked fine.

CM DiskCleaner doesn't need to access internet to install.

Regards
Christer

Take that for what it's worth.

I arrived here following my Google search for Surf60runrime. which was trying to access the Net and was questioned by ZoneAlarm. In my case, Suf60runtime is associated with PopUp Killer, a now defunct, popup stopper. The access request occurred again as I was about to reinstall PopUp Killer.

I don't know why a program would need Net access while uninstalling/installing a program.

Jim

I went ahead and installed the CMdisk cleaner and ran spybot S&D and Adaware. I also ran trojan hunter, bit defender and McAfee VS 7.0 and nothing came up. Looks rather clean to me. Nothing seems to ask to access the internet afet I run it or anything. Nothing new running in my back ground.

Perhaps we can set this to rest. Although this reply from Indgio Rose is a tad technical for me. At least, they replied to my inquiry.
----------------------------------------------------------
Jim,

Thank you for contacting us on this issue. Setup Factory 6.0 does not access the Internet at runtime by default. The Setup Factory runtime populates some network variables such as %LANDomain%, %LANHost%, %LANIP% that causes some firewall programs to flag this program. I can assure you that the Setup Factory runtime does not access the Internet when these variables are filled.

There is the possibility that the developer of the setup that you are running has some actions that access the Internet such as to download a file or submit to a web server. These actions are the responsibility of the designers of the setup that you are running. Our product is used by developers to create installs for their software so the actual implementation of these files is totally out of our hands.

Sincerely,

Adam Kapilik
Tech Support
Indigo Rose Corporation
http://www.indigorose.com/

Hi Jim,

Yes, that does make sense. As noted above, the accesses the installer program is making appears to be related to gathering some of the PC's own network information, which sounds like what they were describing in their message back to you. These accesses could be enough to trigger a software firewall alert.

In the testing that I performed, after the program accessed DNS and NetBIOS, it never attempted further network access (it did not try to get to any site out on the Internet).

Thanks for letting us know what they said! http://www.wilderssecurity.com/images/icons/icon14.gif

Best Wishes,
LowWaterMark

If you guys are still interested ;

here's a link to a site where you can download a program called B-news,
This program is used for downloading files out of A.B. newsgroups.
During the installation of this program (B-News), Suf60runtime is launched aswell.

Zone alarm reports :

Program version 6.0.0.2
The version of SUF60Runtime running on your computer

this is the link from where you can download the program ;
http://b-news.sourceforge.net/

Sincerely,

Logimus

As mentioned in an earlier post, one of the other files installed is something called "irsetup.exe". *That* file could be part of a trojan.

See
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.lolok.html

and search for "irsetup.exe" on that page.

Just because suf60runtime did not call home the first time it was used, does not mean it won't later!

Hey Folks.

I to ended up here after finding an installer on my machine that runs this prog ... It turns out that Suf60runtime is SPYWARE and tries to access the net so it can install the spyware prog American.exe or an updated (and re-named) version ! >:(

I did a netsearch and Symantec have a security response for it and they show how to remove it from your system :

http://www.symantec.com/avcenter/venc/data/american.exe.file.threat.html

Hope this helps

I have also this problem when I install a backup utility form Iomega. The SUR60Runtime try to acces the Internet and It does not install the current program but a program called ''RenameSrar''.
I have also this situation when I try to install SETI @ HOME.
>:(

The PhatNoise Music Manager autoupdate uses these same calls (Suf60Runtime and irsetup.exe located in the TEMP folder). It was looking for a specific IP address while ZoneAlarm Pro 4 blocked it before the updated started but was already downloaded from the PhatNoise site.

For those not familar with PhatNoise, it is basically a Linux box (computer) that plugs into certain car stereo's that plays mp3's. ;D

On an added note: After allowing it permission to acces the network (or else the program would not update), it then tried to 3rd party access Windows Media Player for some reason. Most likely to configure it with PhatNoise. :-X

Google brought me to this site also in response to Suf60runtime. I had just installed StyleXP (http://www.tgtsoft.com/download.php) and was browsing another site for new themes. [url=http://www.themexp.org/view_info.php?comments=1&id=31777]This theme[url], " DameK UltraBlue " 's installation triggered Zone Alarm to report that Suf60runtime, this time in the guise of iun2002.exe (installed to the Windows directory), attempted to access the internet. I should have known better to install a theme with an .exe installer, as all you really have to do is copy the files the the resources\themes directory. His theme also shows up in the Add\Remove Programs section in the control panel, and the Suf60runtime is called each time the theme is clicked for removal. Pissed me off.

Additionally, I ran Spybot Search & Destroy with the latest updates, and it didn't pick it up.

I recently installed an iPod synching program called iPodSync, and while installing it, zone alarm alerted me that suf60runtime wanted access to the internet. I assumed that this was included spyware and denied it access. Perhaps this program is also using the same generic installer?? Or perhaps it is bundling this spyware ap with the program.

suf60runtime

i just found irsetup at the same place and this took me here...when looking at what files have been modified at the same time i find this....

http://sites.internet.lu/folders/megagagga/irsetup.jpg


i remember trying to view a video with realplayer around that time, even if i thought this was about 10 minutes earlier....anyway, the windows/applicationdata/phoenix is cool too...

powerpnt.ini - i don't have powerpoint -

the zonealarmlogtxt says:

type,date,time,source,destination,transport
ACCESS,2004/01/22,23:15:50 +1:00 GMT,RealNetworks Event Launcher was blocked from connecting to the Internet (192.168.1.33:Port 1080).,N/A,N/A
ACCESS,2004/01/22,23:17:16 +1:00 GMT,RealOne Player was blocked from connecting to the Internet (192.168.1.33:Port 1080).,N/A,N/A
PE,2004/01/22,23:45:46 +1:00 GMT,Mozilla Firebird,127.0.0.1:1027,N/A
ACCESS,2004/01/22,23:45:52 +1:00 GMT,,N/A,N/A


the best now, i cannot find irsetup.exe anymore on hd now....honestly, i do not very remember having deleted it...the date changed to next day since i found it, but can this mean something, or is it just too late for me now...;¬)

but strange...

all the best,
bob

Hi Jim,

I am a developer. I am using setupfactory to create an installer for my application. Its an application for pocket Pc. The installer is created perfectly. its installes the product in my pocket pc. But when my friend downloaded from my site, the same installer throws a SUF60RUNTIME titled dialog box, stating send this error to Microsoft or deont send....
Can u tell me what this problem is...i am not able to figure it out....
Thanks

i too got this . it tryied to access 216.148.227.68:53 it must be spyware or something! this seems to be my nameserver at attbi.com

We are using SMS to do software audits and it identifys the file as Setup Factory 6.0 by Indigo Rose. Appears to be a tool to prepare software for installation.

Hi gang,

I just ran into this when istalling Kosun Pocket. A game I just bought. Has anyone found a diffinitive answer to this yet? Is this malware or spyware?

-{ Quote: " Kosun Pocket. " }-


That is supposed to read Korsun Pocket. ooops

Suf-60 Runtime,,,, I got mine, when I tried to uninstall SPYKILLER..
Talk about a TROJAN VIRUS... I did not buy it,, so it has been trying to take over my machine... There are folders and files that I can't remove from REGEDIT, that have SPYKILLER in them... I just did a SYSTEM RESTORE,
that got rid of the WHITE DIAGONAL line on my screen... AND SPYKILLER is trying to reinstall it'self... The System Restore was to a point before SPYKILLER CAME TO VISIT..... help...

Hi Willybeetoo :)

Welcome to Wilders.

Googled it, and found this,

http://amazingtechs.com/index.php?&act=ST&f=46&t=14525

Hope it helps.


snowbound

WOW,, and thanx Snowbound...
I have AD-Aware,, it don't catch SPYKILLER
I Have ZONE ALARM PRO,,, no help there
I have Norton's system utilities,,, but I haven't used it for anything but default Anti Virus....

Will try Reghance now,,,pray for me,, :o

The last time I did a Microshaft update ,, it cost me $500 to get my system back to where I could use it....Could that have been because MS did not want me to use WIN ME anymore???? I now have XP,, and am trying to get into dos to delete SPYKILLER FILES and FOLDERS,,, sofar no luck..


THANK YOU AGAIN FOR YOUR HELP.... willybeetoo

More info on Spykiller,

http://forums.vnunet.com/thread.jsp?forum=10&thread=25123

It definitely is a rogue spyware app.


snowbound

How Smart could the software be?

I was trying to get rid of files > 600K on my system that are useless so I can free some space. I found suf60runtime and wondered what it was for. so I researched and ended up here. I didn't delete it, but after reading that it isn't anything I want on my system I tried to go to the window I saw it in to delete it, and it wasn't anywhere to be found. It wasn't in my recycle bin either. Now I am really confused. I think I'm losing it.


Can spyware be so good that it knows when it's being searched on so that it renames itself, or hides, or removes itself? I feel like I am dealing with "The Usual Suspects". The greatest trick the devil ever pulled was convincing the world he didn't exist"

in a word yes they can, and this is common for the more sophisticated spyware. that is why cleaning in safe mode is very very important after a hit by trojan, virus, ...

I am writing this is a representative of Indigo Rose Software. We make an extremely popular software installer maker product called Setup Factory. It is used by thousands of software companies to make their setup.exe file. It is similar in scope of use to other products such as Installshield and Wise Installer.

The "SUF60Runtime" application (and "irsetup.exe") files comprise the main installation engine of installers created with Setup Factory 6.0. These files by themselves are definitely not spyware, trojans or viruses. Seeing them on your system is not a cause for concern - in fact they only appear when you run a setup.exe application created with Setup Factory 6.0.

The issue of firewall software like ZoneAlarm popping up an alert is related to the fact the some early versions of the Setup Factory 6.0 Runtime would attempt to initialize certain internal variables regarding your computer name etc, causing certain firewall software to flag these as DNS accesses etc. No information is being transmitted or retrieved at startup - simply initialization of internal data to perform the installation.

The important thing to note here is that like any setup.exe you will ever run, is that you need to know what you are installing, where it came from and who made it. Since installers are designed to do many things to a system in order for an application to work, it is very important that you trust the maker of the application itself. While Setup Factory 6.0 isn't a spyware product, the application you end up installing could possibly be. It's no different than products installed with Installshield, Wise, InstallAnywhere or whatever toolkit the software developer used to create their setup.

More information on Setup Factory (v6.0 has been replaced by v7.0) is available at http://www.setupfactory.com or on the Indigo Rose website at http://www.indigorose.com. We also maintain a user forum at http://www.indigorose.com/forums if you wish to ask any further questions.

Sincerely,

Ted Sullivan
Indigo Rose Corporation
http://www.indigorose.com

The program irsetup.exe loads as part of the startup program for the Lexar Multi-Card Read that reads digital camera cards.

I have had PopUpBlocker installed for years. It was always listed as running in the background on the Windows Task Manager screen.

I use AOL and AOL recently added it's own Pop Up Blocking software which I intended to install but wanted to remove the old PopUpBlocker program first. Aside from possible problems of having two programs trying to do the same thing, the original PopUpBlocker was installed at boot, used RAM, and consumed memory at all times - even when I was NOT on-line. The AOL blocker would load only when I started AOL and free up system memory, so it seemed a good thing to do.

In Control Panel, I went to remove programs and clicked on PopUpBlocker. Zonealarm immediately alerted me to Suf60runtime trying to access the internet.

I denied access, continued with the uninstall, loaded AOL and was informed that AOL's popupblocker was now running. So all is well with me.

I have never been alerted to Suf60runtime ever running previously. Attempting to remove PopUpBlocker triggered it for me. I thought this info being posted might help you guys with higher comperter skills than me.

i downloaded this this THING after typed in `riddick`in shareaza as i was after a crack and this suf60runtime file was what i got after clicking on the description which read `cronicals of riddick escape from butchers bay-no0 cd crack` so its obvious this is something down and dirty, best to stay away

greetings everyone ,, first time here and amazingy started browsing for this warning initiated by Zone alarm and i see that this Suf60 runtime dates back to 2003 .. so i guess its an oldtimer program acess ,, i just install tune xp
and denied acess to this suf60. and it seems to work fine therefore i dont think it was needed to install and i assume its spyware ( from all the concerns read throughout this forum ..

i am always curious to learn about internet security .. and one program that has me really helped out fine so far its of course zoone alarm

i had spysweeper also but ( never got around to a decent crack .. ) and not in a mood to pay or it so.. its a goner ..

one thing that has always worked fine .. ( its me that go crazy without need) its REGrun .. basically warns about attemps to change registry items
and when its well managed ( its not the case). it does an excelent job

so far in tihis couple of years of browsing never got any mahor problem with my PC

thanks for the input on this

Nuno - Portugal

@ MikeBCda

You might want to follow a more recent thread concerning this same Favoriteman\Adaware definitions update.

Also....I have taken the liberty to merge your post into that ongoing thread.

Merged to this thread---> http://www.wilderssecurity.com/showthread.php?t=95718

We'll close this thread since it is rather outdated.