SCI: Tech Fears Arise Over Norton and Pifts.exe

reply to post by FreezeM


I have tested Pifts.exe with Anubis which shows it accesses these folders containing private information! This and the fact Norton are actively trying to cover up PIFTS raises enough suspicions to warrant further investigations and im 90% sure a traffic dump would show this to be true!

Anubis Report on PIFTS.EXE

Norton does not need to use these folders to see how many installations there have been at all!!



[edit on 10-3-2009 by tommyboy1981]

reply to post by Armour For Victor


The site is still being spammed etc.

Look at this comment.

community.norton.com...

Comments were -

I have just noticed this appearing in my NAV2008 activity log

Details:

Rule "Implicit block rule" blocked (0.0.0.0,bootps(67)).
Inbound UDP packet.
Local address,service is (255.255.255.255,bootps(67)).
Remote address,service is (0.0.0.0,bootpc(68)).
Process name is "N/A".

Any idea what this means?

Coolface
Registered: 03-10-2009

"delete the folder system32 it makes your pc faster, too "

This would ruin windows if done.



[edit on 10-3-2009 by XXXN3O]

Originally posted by FreezeM
I am in no way defending Symantec here. I got rid of their products years ago. And I think it's wrong for them to collect any data from a pc and sent it without consent. But are we sure that they access temporary files, cookies or history and sent that to their servers? Or is that part just speculation. I have not seen any traffic dump.

I believe some people here are fearmongering a bit.

As in: Oh crap Virus Alert -> Internet Access -> MUST BE SCARY STUFF!!!

I think we can take it for granted that most of those people have files on their PC's that are sending data to websites without their consent.

I'm helping someone else with some school related stuff so my promise of laying down some info about the process in laymans terms will have to wait.

If you wait one sec I'll post some info regarding the file xd.

I hope I didn't get your hopes up, considering this is just my plain logic speaking here, none of my ''disassembly'' adventures.

EDIT: Regarding the FILENAME

Filename:
Someone else in this thread spoke of PifSVC.exe
Someone on the Norton forums spoke of a PIF error when a .dll was getting installed.

Personal Conclusion: PIF is an abbreviation, so SVC and TS must be abbreviations as well. Searching for these abbreviations gave me the following plausible results:

PIF:
1) Program Information File
2) Peripheral Interface File
3) Programmable Initialization File

SVC:
1) Services (eg.: svchost.exe)

TS:
1) Transfer Start
2) Top Secret (lololol)

[edit on 10/3/09 by -0mega-]

Here's something.

Yesterday's Google Trends for pifts.exe

If you searched for it in Trends right now...Nothing!!

But if you tweak the yesterday's result with today's date www.google.com...

Which says it peaked 14 hours ago and is now only medium...however Digg and especially Twitterr are flooded with results.

Just a weird thing I'm sure - nothing fishy about it whatsoever.

-m0r

reply to post by XXXN3O


Yea and that guy who posted is a newbie. Hope the OP doesnt listen to him.

Originally posted by tommyboy1981
reply to post by FreezeM

 

I have tested Pifts.exe with Anubis which shows it accesses these folders containing private information! This and the fact Norton are actively trying to cover up PIFTS raises enough suspicions to warrant further investigations and im 90% sure a traffic dump would show this to be true!

Anubis Report on PIFTS.EXE

Norton does not need to use these folders to see how many installations there have been at all!!



[edit on 10-3-2009 by tommyboy1981]

You should send that to Norton or someone of interest.

Sorry

Double post!

Peace!

[edit on 10-3-2009 by Armour For Victor]

Well guys, I am not very pc savy so forgive me if this has no relevance....I was on the net a couple of weeks ago and I started getting an urgent message from "360" that I had trojans in my system and all kinds of stuff! I have Norton installed on it. It is called Norton 360. I don't remember what it was asking me to "run" but I did and it would not quit flashing all over the screen. It interfered with my entire pc and after a couple of days I finally just paid the frigin $49.95 it was asking and .....poof, it disapeared! I know I was scammed but wonder if this is related to this thread?

reply to post by PammyK


I haven't researched anything about Norton 360 yet, but I did notice a reference to Norton 360 in that PIFts.exe file everyone keeps talking about.

edit: Norton 360 is just another application made by Symantec, another anti-virus.

[edit on 10/3/09 by -0mega-]

No,

This has nothing to do with the whole PIFTS.EXE thing.

Like you said you were scammed. What you should have done is just reformatted and reinstalled your OS.

Greetings everyone, I was the poster quoted in the main post from /g/ on /x/ asking for assistance.

Apparently it has nothing to do with Africa, but the only blog available at the time said that is where it was send. I saw a topic on /g/ (technology) that would have otherwise gone unnoticed about a mysterious program accessing the internet and Symantec deleting posts about it and immediately a conspiracy came to my mind. I started beating the drums about it on /g/ and before I knew it it spawned several massive threads. I did not want the intervention of /b/ but eventually they found out about it. /g/ is far more legitimate than /b/. My fear of it reaching /b/ was that this whole thing would be dismissed as "lol4chan," which is understandable. But you must understand that this thing was initially brought up by night shift technology section. These are not the people with "V" masks protesting scientology, very many professionals use that section, especially at night when the kids have gone to bed for school in the morning.

But this is a serious issue and Symantec is trying to cover it up. We started digging and pulling everything up we could, and any posts on Symantec's forums were deleted. We looked into the file and we found it accessed temporary internet files, history, and Google desktop. At first we started out with basic info about what we had (the thing about Africa turned out to be incorrect), and I and many other /g/ users started spreading it around, as this is our duty when coverups occurs.

Do not simply dismiss it is baseless 4chan shenanigans, something very real is going on. Even though 4chan /g/ played a key role in spreading it around does not mean it can be safely overlooked. Before the idiotic users of /b/ started "raiding" Norton it was a certainty that if you posted a thread about PIFTS.exe it would be deleted.

So I had made some initial errors stating what the program does. Let's take it from here. The program accesses temporary internet files, history, Google desktop, and tries to contact Swapdrive (owned by Symantec). Washington Swapdrive is on online storage facility. Was it taking your browsing history or using Google desktop in nefarious ways and then going out to Swapdrive to try to store it?

I am a /g/ user, and when I saw the thread I jumped on to it and started beating the "CONSPIRACY" drums very hard, and the whole thing just exploded from there. I regret that /b/ got involved as it did, they are great at disenfranchising anything that comes from 4chan. But do not make the mistake of thinking all users of 4chan, especially the "night shift" technology board, are all in the same boat. /g/ was responsible for raising the issue and demanding answers, and we spread it throughout the internet. I wake up today and PIFTS.exe and conspiracy theories are everywhere.

I demanded the community demand answers and to get other people to ask the same questions I was asking, and everyone seems to be interested. I knew the whole thing was fishy and it smelled like a coverup. Looking deeper into it, I believe that is the only thing it could possibly be.

Norton looking at your cookies, browsing history, and interfacing with Google desktop, and then going out and contacting an internet storage site? Does that seem right to you? Everyone spread the word.

The info on 67.134.208.160 is very strange

IP owner info (Whois)
Qwest Communications Corporation QWEST-INET-11 (NET-67-128-0-0-1) 67.128.0.0 - 67.135.255.255 SwapDrive QWEST-IAD-SWAPDRIVE4 (NET-67-134-208-128-1) 67.134.208.128 - 67.134.208.255

# ARIN WHOIS database, last updated 2009-03-09 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.

Domain owner info (Whois / Abuse)

No data available...

Edit: As the previous poster stated,the Africa stuff is wrong. So no need for the third ip adress.




[edit on 10-3-2009 by Cyberzone]

reply to post by grantbeed



Slight OT, but when I got my last computer a year ago, the friendly Geeksquad guys at Best Buy uninstalled Norton for me.
Therefore, I had no traces and no huge systems hangups due to the large resource hog that is Norton.


This pifts.exe thing is just another strange appearing in an ever stranger world.

Q West info here
wiki

Qwest homepage

They seem to be an internet provider in the US.

There HQ is in Denver. Isn't somthing else going on in Denver today?

[edit on 10/3/2009 by kuhl]

en.wikipedia.org...(software)
Magic lantern it is?
Or CPIV?
en.wikipedia.org...
Or OASIS?
en.wikipedia.org...(software)

WHOIS - 67.134.208.160
Location: United States [City: Washington, District Of Columbia]
Qwest Communications Corporation

en.wikipedia.org...

Former Qwest CEO Joseph Nacchio, who was convicted of insider trading in
April 2007, alleged in appeal documents that the NSA requested that Qwest participate in its wiretapping program more than six months before September 11, 2001. Nacchio recalls the meeting as occurring on February 27, 2001. Nacchio further claims that the NSA cancelled a lucrative contract with Qwest as a result of Qwest's refusal to participate in the wiretapping program.



[edit on 10-3-2009 by CaptainCaveMan]

Heres the first reply from a symnatec employee on the boards

community.norton.com...

"To my limited knowledge, that program is legitmately delivered in a LiveUpdate package.



The topics are deleted because it appears that somebody is abusing this system and some legitimate posts may be the collateral damage associated with dealing with this abuse.



-Reese Anschultz
Sr. SQA Manager
Symantec Corporation "

Still not an answer though



Edit: Removed 30 seconds later

I looked up the employee that answered then removed the post, maybe someone can contact them if they want an answer via email etc community.norton.com...


[edit on 10-3-2009 by XXXN3O]

The second ip adress is : 207.46.248.249

Info:

IP owner info (Whois)


OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET
NetHandle: NET-207-46-0-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 1997-03-31
Updated: 2004-12-09

RTechHandle: ZM39-ARIN
RTechName: Microsoft
RTechPhone: +1-425-882-8080
RTechEmail: [email protected]

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName: Hotmail Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName: MSN ABUSE
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]

OrgNOCHandle: ZM23-ARIN
OrgNOCName: Microsoft Corporation
OrgNOCPhone: +1-425-882-8080
OrgNOCEmail: [email protected]

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2009-03-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

------------------------------------------------------------------------------------
Domain owner info (Whois / Abuse)
Whois record :

Registrant:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US

Domain name: WINDOWS.COM


Administrative Contact:
Administrator, Domain [email protected]
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Technical Contact:
Hostmaster, MSN [email protected]
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080


Registration Service Provider:
DBMS VeriSign, [email protected]
800-579-2848 x4
Please contact DBMS VeriSign for domain updates, DNS/Nameserver
changes, and general domain support questions.


Registrar of Record: TUCOWS, INC.
Record last updated on 03-Jan-2008.
Record expires on 04-Jun-2014.
Record created on 11-Sep-1995.

Registrar Domain Name Help Center:
domainhelp.tucows.com...

Domain servers in listed order:
NS2.MSFT.NET
NS4.MSFT.NET
NS1.MSFT.NET
NS5.MSFT.NET
NS3.MSFT.NET


Domain status: clientDeleteProhibited
clientTransferProhibited
clientUpdateProhibited

Originally posted by kuhl
it.slashdot.org.../03/10/139229

www.abovetopsecret.com...

blog.bull3t.me.uk...

answers.yahoo.com...

The posts on Nortons forum continue now theres loads of links

When I clicked on the slashdot link, I get this:

Nothing for you to see here. Please move along

Note:It appears that there was an error in the bbc code for the link, so it seems slashdot is "NOT" compromised in this issue.

slashdot compromised????????

[edit on 3/10/2009 by mrmonsoon]

Originally posted by Cyberzone
The second ip adress is : 207.46.248.249

67.134.208.160 was Microsoft also, must have been changed within the past hour.

I checked in on Netcraft earlier, it's now saying Swapdrive.

Seems like there is a lot of wheels turning here.

-m0r

Interesting.

Apparently they have been deleting any mention of the pifts.exe for some time now. I've been following the norton forums for over an hour, and one system employee claimed in a legit non-spam thread, it is a legitimate LiveUpdate component or something, then suddenly the whole thread was gone in a few minutes. He also said that the deletions are because of abuse to the system, so there is some collateral damage. But then that very thread, swiftly disappeared. Good lord, they give a response then delete the response in a matter of like 1-2 minutes. Really bizarre stuff happening over there


The only thing we seem to know so far, is that pifts.exe is a series of tubes.

Still awaiting the pift.exe dramatic chipmunk video

[edit on 10-3-2009 by elcapitano75]