Suf60runtime?

Discussion in 'privacy general' started by notageek, Jun 2, 2003.

Thread Status:
Not open for further replies.
  1. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Anyone know what this is? A friend of mine told me about a windows cleaning prgrams (cleans junks and dupes) and when I was going to install it I got a pop up from my Firewall asking if I will allow this program to access the internet. This sounds really fishing to me. The program I was trying to install is CMDisk Cleaner. I found it at webattack.com
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Re:Suf06runtime?

    Hi notageek,

    Can you explain this statement a little more? ("...when I was going to install it...") Had you actually run the install, and had it finished yet, or was it near the finish? Since CM DiskCleaner seems to have an automatic update feature, (see their home page: here), this could simply have been the first update attempt.

    Can you also check the Properties... on the file to see what all is contained in the Version tab? If it is clearly part of the CM DiskCleaner product, then that might explain it.

    I'm assuming you've scanned the file with all your AV/AT tools, correct?

    Another trick for figuring out what it's doing is - in your firewall give the program access to just your DNS servers, but block other Internet addresses, then run it again and see where it's trying to go to (by the blocked destination address connections in your firewall log).
     
  3. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Re:Suf06runtime?

    Hi LWM, the file was scanned with AV. Now When I clicked on the file to install it beofre it even came up with the normal "you're about to install so and so program" the file tried to access the internet. The file wasn't even installed yet. But trying it again I found that I mis spelled the name I't SUF60RUNTIME. I read that they have an auto updater on their web site before I even posted and ruled that out cuz the program never installed.

    I checked the properties and didn't see a file called SUF60RUNTIME at all. But here's the company this program comes from: Indigo Rose Corporation http://www.indigorose.com

    I'm going to look around about this company and see what I can dig up. It's still odd that a program wants to access the internet before it even shows an install window.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    I'm still wondering where the program name "SUF60RUNTIME" comes from. The install kit for CM DiskCleaner is "CMDiskCleaner.exe", and it's a 5.7MB installation kit. (That is the file you are double clicking to install the app, right?)

    I don't understand how "SUF60RUNTIME" fits in at all. (Though I guess you don't either, which is why you are asking the question.) So, you can't find any file on your system name SUF60RUNTIME - anywhere?
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Too bad this person didn't state what program he was trying to install.
    Do you have a program that can provide you with a list of all your startupentries (including the RunOnce key)?
    If you don't, try AutoStartViewer

    Regards,

    Pieter
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Okay, I decided to throw caution to the wind and tried downloading and installing the program myself... :D SUF60Runtime is definitely one of the first programs extracted and run from the CM DiskCleaner installation kit.

    Once you double click on CMDiskCleaner.exe, it extracts a few modules to your \Temp\ folder, one of which is a file named irsetup.exe (which has the internal program description/name: SUF60Runtime).

    See the mess of an image below for additional information. :eek:

    irsetup.exe (aka. SUF60Runtime) immediately attempts to access DNS. But, it appears DNS is all it's trying to access. It does not try to connect anywhere after you give it access to DNS. It may simply be trying to find information about your system (perhaps even just its name). After DNS, it attempts to access NetBIOS - this may also be to simply find out information about your system (again, maybe its name). None of this appears to be an attempt to connect to any other system.

    I stopped the install after these first few items as I did not wish to actually install this application. But, from what I can tell it is not malicious.

    >> Too bad this person didn't state what program he was trying to install...

    Yes, that person is describing exactly this functionality.

    Looking just at the properties description of the kit itself and irsetup.exe, I'm wondering if this is just the functionality of a generic "installer". The makers of CM DiskCleaner may not be using their own installer, but rather one they purchased or licensed from someone else, which has this standard installation process.

    As I said, I don't think there is anything malicious here. If you want to use CM DiskCleaner, you'll need to let it's installer run. I believe it'll install just fine without giving Internet access, given what it appears to be using it for.

    Oh, and if you open the .ini & .dat files in the \temp\ folder, you'll see a lot more installation information.
     

    Attached Files:

  7. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Thanks Pieter and LWM.

    Pieter, I ran ASviewer and seen nothing there that wasn't there before I tried to install this program. What I do is when I run ASviewer I take a screenie of it and compare when I run it it again. :D

    LWM, thanks for the help. I think I'm not going to install this program and just clean the dupes and temp file the old fasion way. Who knows maybe the program itself might even call out after a full install. ;)
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good thinking.
     
  9. aaron1195

    aaron1195 Guest

    Generic installer possibility confirmed. I have reformatted and reinstalled Win2K today. I always install ZoneAlarm firewall imm after internet connection established. I installed several utilities and one of them activated SUF60runtime. Zonealarm caught it also.

    Perhaps this is a Win component that the installers "call".
     
  10. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I'm going to email the maker and find out what it is and why it need access to the internet. I'll post back if I get a reply.
     
  11. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    This is what the Maker or a tech person from the company that makes CMDisk Cleaner replied back to me in an email. Now keep in mind I asked what Suf60runtime is and why does it need access to the internet this is what he replied.
    It seems that there is something wrong with yoiur install file.

    The file should be

    4.31 MB (4,526,549 bytes)

    I Tested the file yesterday and it worked fine.

    CM DiskCleaner doesn't need to access internet to install.

    Regards
    Christer

    Take that for what it's worth.
     
  12. Jim

    Jim Guest

    I arrived here following my Google search for Surf60runrime. which was trying to access the Net and was questioned by ZoneAlarm. In my case, Suf60runtime is associated with PopUp Killer, a now defunct, popup stopper. The access request occurred again as I was about to reinstall PopUp Killer.

    I don't know why a program would need Net access while uninstalling/installing a program.

    Jim
     
  13. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I went ahead and installed the CMdisk cleaner and ran spybot S&D and Adaware. I also ran trojan hunter, bit defender and McAfee VS 7.0 and nothing came up. Looks rather clean to me. Nothing seems to ask to access the internet afet I run it or anything. Nothing new running in my back ground.
     
  14. Jim

    Jim Guest

    Perhaps we can set this to rest. Although this reply from Indgio Rose is a tad technical for me. At least, they replied to my inquiry.
    ----------------------------------------------------------
    Jim,

    Thank you for contacting us on this issue. Setup Factory 6.0 does not access the Internet at runtime by default. The Setup Factory runtime populates some network variables such as %LANDomain%, %LANHost%, %LANIP% that causes some firewall programs to flag this program. I can assure you that the Setup Factory runtime does not access the Internet when these variables are filled.

    There is the possibility that the developer of the setup that you are running has some actions that access the Internet such as to download a file or submit to a web server. These actions are the responsibility of the designers of the setup that you are running. Our product is used by developers to create installs for their software so the actual implementation of these files is totally out of our hands.

    Sincerely,

    Adam Kapilik
    Tech Support
    Indigo Rose Corporation
    http://www.indigorose.com/
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Hi Jim,

    Yes, that does make sense. As noted above, the accesses the installer program is making appears to be related to gathering some of the PC's own network information, which sounds like what they were describing in their message back to you. These accesses could be enough to trigger a software firewall alert.

    In the testing that I performed, after the program accessed DNS and NetBIOS, it never attempted further network access (it did not try to get to any site out on the Internet).

    Thanks for letting us know what they said! [​IMG]

    Best Wishes,
    LowWaterMark
     
  16. Logimus

    Logimus Guest

    If you guys are still interested ;

    here's a link to a site where you can download a program called B-news,
    This program is used for downloading files out of A.B. newsgroups.
    During the installation of this program (B-News), Suf60runtime is launched aswell.

    Zone alarm reports :

    Program version 6.0.0.2
    The version of SUF60Runtime running on your computer

    this is the link from where you can download the program ;
    http://b-news.sourceforge.net/

    Sincerely,

    Logimus
     
  17. thebard

    thebard Guest

    As mentioned in an earlier post, one of the other files installed is something called "irsetup.exe". *That* file could be part of a trojan.

    See
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.lolok.html

    and search for "irsetup.exe" on that page.

    Just because suf60runtime did not call home the first time it was used, does not mean it won't later!
     
  18. Steelerspace

    Steelerspace Registered Member

    Joined:
    Sep 26, 2003
    Posts:
    1
    Hey Folks.

    I to ended up here after finding an installer on my machine that runs this prog ... It turns out that Suf60runtime is SPYWARE and tries to access the net so it can install the spyware prog American.exe or an updated (and re-named) version ! :mad:

    I did a netsearch and Symantec have a security response for it and they show how to remove it from your system :

    http://www.symantec.com/avcenter/venc/data/american.exe.file.threat.html

    Hope this helps
     
  19. ZapLapage

    ZapLapage Guest

    I have also this problem when I install a backup utility form Iomega. The SUR60Runtime try to acces the Internet and It does not install the current program but a program called ''RenameSrar''.
    I have also this situation when I try to install SETI @ HOME.
    :mad:
     
  20. kewl_blades

    kewl_blades Registered Member

    Joined:
    Oct 23, 2003
    Posts:
    1
    The PhatNoise Music Manager autoupdate uses these same calls (Suf60Runtime and irsetup.exe located in the TEMP folder). It was looking for a specific IP address while ZoneAlarm Pro 4 blocked it before the updated started but was already downloaded from the PhatNoise site.

    For those not familar with PhatNoise, it is basically a Linux box (computer) that plugs into certain car stereo's that plays mp3's. :D

    On an added note: After allowing it permission to acces the network (or else the program would not update), it then tried to 3rd party access Windows Media Player for some reason. Most likely to configure it with PhatNoise. :blink:
     
  21. Jeff  D

    Jeff D Guest

  22. Jeff D

    Jeff D Guest

    Additionally, I ran Spybot Search & Destroy with the latest updates, and it didn't pick it up.
     
  23. RG

    RG Guest

    I recently installed an iPod synching program called iPodSync, and while installing it, zone alarm alerted me that suf60runtime wanted access to the internet. I assumed that this was included spyware and denied it access. Perhaps this program is also using the same generic installer?? Or perhaps it is bundling this spyware ap with the program.
     
  24. suf60runtime
     
  25. i just found irsetup at the same place and this took me here...when looking at what files have been modified at the same time i find this....

    http://sites.internet.lu/folders/megagagga/irsetup.jpg


    i remember trying to view a video with realplayer around that time, even if i thought this was about 10 minutes earlier....anyway, the windows/applicationdata/phoenix is cool too...

    powerpnt.ini - i don't have powerpoint -

    the zonealarmlogtxt says:

    type,date,time,source,destination,transport
    ACCESS,2004/01/22,23:15:50 +1:00 GMT,RealNetworks Event Launcher was blocked from connecting to the Internet (192.168.1.33:port 1080).,N/A,N/A
    ACCESS,2004/01/22,23:17:16 +1:00 GMT,RealOne Player was blocked from connecting to the Internet (192.168.1.33:port 1080).,N/A,N/A
    PE,2004/01/22,23:45:46 +1:00 GMT,Mozilla Firebird,127.0.0.1:1027,N/A
    ACCESS,2004/01/22,23:45:52 +1:00 GMT,,N/A,N/A


    the best now, i cannot find irsetup.exe anymore on hd now....honestly, i do not very remember having deleted it...the date changed to next day since i found it, but can this mean something, or is it just too late for me now...;¬)

    but strange...

    all the best,
    bob
     
Thread Status:
Not open for further replies.