SCI: Tech Fears Arise Over Norton and Pifts.exe

A symantec employee has posted about it here:

community.norton.com...

reply to post by -0mega-


here you go: (this is on page 19 near the middle)


Originally posted by Armour For Victor

Originally posted by tommyboy1981
reply to post by FreezeM


I have tested Pifts.exe with Anubis which shows it accesses these folders containing private information! This and the fact Norton are actively trying to cover up PIFTS raises enough suspicions to warrant further investigations and im 90% sure a traffic dump would show this to be true!

Anubis Report on PIFTS.EXE

Norton does not need to use these folders to see how many installations there have been at all!!



[edit on 10-3-2009 by tommyboy1981]


You should send that to Norton or someone of interest.

(Just click on the ANUBIS REPORT ON PIFTS.exe in the ACTUAL POST, not this reply)

That has been posted for quite some time now, and reposted here several times already.

Originally posted by kuhl
Just out of interest Edward A Mueller the chairman of QWest is also linked to these guys Mckessen

According to Forbes he's a director.

Mckesson wiki

previous mckesson ATS mention here 2nd post down.


Dunno if this is all connected...but still interesting.

I still think we need to look at the bigger picture I.E. whos behind this.

qwest seems a good place to start.

Originally posted by hadriana
A symantec employee has posted about it here:

community.norton.com...

So basically Symnatec is telling everyone not to search for any information on this or you could possibly be infected with a virus now.

I wonder if its only Norton users that would get an infection

Gotta love the smell now.

[edit on 10-3-2009 by XXXN3O]

Originally posted by hadriana
A symantec employee has posted about it here:

community.norton.com...

They removed all mention of pifts.exe not just the spammers

not one line.

Originally posted by sir_chancealot
Why would PIFTS.exe send info to Google? I have no idea.

I haven't had a chance to dig into it, but it looks from what I've seen so far that it is at least somewhat hardened (probes for a debugger, obfuscates pointers, crashes boomerang). This isn't surprising for an AV component... but it does mean that it will be hard to figure out what it is doing. My (completely unsupported) suspicion at this point is that they aren't sending information to google (is there a capture of of what they are sending?) and instead are probing for the presence of google desktop for market research purposes.

Originally posted by hadriana
A symantec employee has posted about it here:

community.norton.com...

There's the thread where people can post their remarks.

[url=http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=39123&view=by_date_ascending&page=2[/url]

[edit on 10-3-2009 by straw]

[edit on 10-3-2009 by straw]

Originally posted by zsrgt
First I need a copy of the file that was installed. None of the norton machines I have access to have this file.

Any verifiable links to the file, that are not viruses / trojans.

www....(nolink)/?mnmh35b9d0k

There you go. If you don't trust me, send it through an online scanner, it's clean.

Keep us updated, and thanks for your efforts!

norton's explanation was solid ... I think it was a mistake ...

Solid as a steaming pile.

Originally posted by Faiol
norton's explanation was solid ... I think it was a mistake ...

So why erase even the legitamate questions about pifts.exe?

Why stay quiet for so long?

So... let me get this straight.

Symantec put up this (totally lame ) cover story...

And suddenly we've got some guys rubber stamping the official 'explanation'.

"In a case of human error, the patch was released by Symantec "unsigned","

I think you meant to say, "One of our programmers intentionally left this 'patch' unsigned in order to blow the whistle on our collusion with intelligence agencies."

Source

10/10.

That was my first guess. Someone "inside" knew about this spyware update, and intentionally left it unsigned to get this issue out in the open. Kudos!

I wonder how long it takes, before all this stuff gets deleted. What are they going to do? Those are burning questions, they are intelligently arguemented into a corner now. Anybody wants to guess what's their next move? Just playing ostrich? In reference to the narcotics outrage here in ATS, that may not play out very well...

[edit on 10.3.2009 by SiONiX]

I'm not the most technically minded person, and I don't use Norton so I can't know if this will work, but has anyone considered using a packet sniffer to see what and where the data is going?

reply to post by Ian McLean


WOW!Have you guys seen these posts?????
(Link originally posted by Ian McClean HERE )

www.tech-linkblog.com...

Posted by "thewhitemexi" 14 hrs ago.

Wow, ok there is definitely something going on here. I just called customer support and after running around for a bit, the operator gained a worried tone in his voice and said he'd put me on hold for a few minutes while he did some research as to what the problem was.

After that, he transfered me to technical support. I spoke to a woman who got my information and didn't seem to know what pifts.exe was. She actually said, "When I searched on google, there are no results for pifts.exe."

This means one of two things.

1) She was lying to cover something up.
2) The company is blocking their own tech support people from viewing anything with pifts on it.

CONSPIRACY!!!!!!

Posted by "T S" 13 hrs ago.

The same thing happened to me. I posted a question that said, "What is PIFTS.EXE? C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt1... I posted it at 10:32pm PST and it was removed within a minute. I am no longer able to post a new message or reply to any others.

I was on the phone with Symantec from 9:00pm PST until 11:00 and got basically no decent answers. They finally admitted it was part of the install process but couldn't tell me what it was for. Every time that I asked why messages were being removed from the Forum, I got transferred to someone else. I started at Tech Support talking to Ella, then got transferred to Sam in the Virus Removal Dept. I asked him the same questions, then finally I asked to speak to a Supervisor, and got Frank the floor supervisor. He said that it was not a virus but a "System File Issue" and he would have to transfer me to Technical Support. I then spoke to Fahed and asked the same questions. After a while he came back and explained that the system puts out updates every hour and this was part of that process. I asked again why messages about this issue were being deleted from the Norton Forum. While I was on hold, I posted myself to the Norton Forum so see what would happen (see above for that information). My question was again ignored and he then wanted to enter my computer remotely and look for viruses. I said that my question has still not been answered and I feel that something very suspicious was going on with Symantec. I told him that I was not going to allow anyone from Symantec to access my computer because I have lost my trust in the company because of the way I am being treated. I told him that I was finished with the call and would just contact the media and hung up. He called right back and told me he wanted to transfer me to his Supervisor since I was obviously not satisfied with my call. I next spoke to Austin, Case Manager. He basically repeated the same crap as everyone else and would not tell me why my post and others were deleted. I told him that I am done with Norton products and will remove them from all of my computers and others that I have installed their product on. This is crazy! Lets get the word out there! Symantec is digging a big hole with this issue and losing customer trust! What exactly are they trying to install on our systems?
Source(s):
forums.zonealarm.org...
13 hours ago

Posted by "GORDON B" 12 hrs ago.

I can only guess that Symantec are using this program to collect some
statistics. What statistics they are trying to collect would be the big
question.

I guess this because my Norton Firewall log says the following

10/03/2009 10:00:34,"This one time, the user has chosen to ""block"" communications.","This one time, the user has chosen to ""block"" communications. Outbound TCP connection. Remote address,service is (stats.norton.com(67.134.208.160),http(8... Process name is ""C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\Updt8...
12 hours ago

-ChriS


[edit on 10-3-2009 by BlasteR]

community.norton.com...

Here's an Anubis analysis report of PIFTS.exe:

anubis.iseclab.org...

Looks to be collecting information from cookies, temp files, Internet Explorer, and recording searches in google and google desktop. Norton doesn't need to use these folders to see how many installations there have been, so why it's mining your search data/history and phoning home is anyone's guess.
Message Edited by TheMagicLantern on 03-10-2009 03:17 PM

This question has been asked time and time again throughout the thread, and no answer or response has been given that even remotely addresses the question as to why this file is sending cookies, temp files, recorded searches, to a known and associated data storage site.

Originally posted by Gemwolf
Very interesting.

It seems to be true (that they're deleting the topic).

Google search results

All topics deleted.

Time to do some digging...

You know what's really interesting?

When I click on your google search link, look right below the text entry bar.
It says "Do you want to search ( ) the web ( ) pages in South Africa"
What's up with that???
Why would it mention South Africa?



[edit on 3/10/2009 by pjslug]

Originally posted by hadriana
A symantec employee has posted about it here:

community.norton.com...

* O LAWD IM CHOKIN ON PIFTS PLZ HALP
* OH GOD YOU GOT CHOCOLATE IN MY PIFTS
* If you wanna be my NORTON/ you gotta deal with my P ! F T S . E X E
* IF PIFTS.EXE WAS HERE, THEN WHO WAS PHONE?
* PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE PIFTS.EXE
* I LOVE MY PIFTS.EXE

That was epic.

There's no way Norton employee could have read those without laughing.

Their explanation on the thread deletions however is only the half-truth. They never explained why they deleted the legitimate threads regarding the software, and why it took them so long to make a comment about it, or why all the threads from other websites were so quickly deleted.

I'm thinking a Norton programmer either made a major flub by not adding a certificate to the hidden program, or they knew that the program was malicious and wanted to expose it for others to see, by not adding a certificate.

[edit on Tue Mar 10th 2009 by DJMessiah]

This question has been asked time and time again throughout the thread, and no answer or response has been given that even remotely addresses the question as to why this file is sending cookies, temp files, recorded searches, to a known and associated data storage site.

All of that stuff gets pulled in automatically with certain APIs (IIRC wininet is one of them). Basically what happens is that the app creates an IE instance and the IE instance pulls all of that in... I don't know if that is the case here but it has been the answer to why applications that shouldn't be pulling that stuff are loading it.

[edit on 10-3-2009 by baahl]