What is going on with Norton's forum?

Just thought I'd go on there to see what's happening and it seems some idiots have been starting threads about PIFTS.exe or something like that.

You'd have thought they'd have had moderators on there to stop crap like this - spoils it for the rest of us!

Check the link here.....http://community.norton.com/norton/board?board.id=nis_feedback

 

I presume there was no money left for moderators, just like insufficient funding for support, and the ASK deal with IAC which was apparently also necessary.

Symantec must be heading for bankruptcy, or maybe the executives want a higher bonus.

 

Good response! Seems that whole forum has just been spammed big time.....feel sorry for those who actually go there to get support/post problems....they'll just be swallowed up by the growing number of those spam threads and ignored.

Love to get hold of these wasters and line 'em up and....you know the rest!

 

Whoever is doing it will be bored soon.

Notice how the mac forum is untouched. Total spamming would cover all forums. It's a bunch of kids who have registered 10 usernames or so, spent a couple of hours posting.

No matter how annoyed someone might be at a company, you never ruin something (forum) that's for others.

 

As per Niel's article in PCMag ( see thread ), the forum was the only refuge for sane Norton Support.

Guess, Symantec actually read that article and decided to take corrective action ......
By degrading the level of Norton Community Forum, thereby forcing everyone to pay $99.99 for support via their devilish agents.

 

Apparently there is something larger at issue. More here than meets the eye.

A mysterious program known as pifts.exe seems to be associated with Symantec's anti-virus system, Norton.

http://www.abovetopsecret.com/forum/thread444230/pg1


PIFTS.exe appears to be related to a Norton update since it has a has a component in it that leverages the user's Internet connection to contact a Web page at norton.com, which is owned and operated by Symantec.

http://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html


Symantec has been removing ALL posts discussing PIFT's from it's forums.

http://www.google.co.za/search?hl=en&safe=off&q= site:community.norton.com "PIFTS.EXE"


At this time 10:27 AM EST The Norton Forum is shut - down.


More here:


http://www.tech-linkblog.com/2009/03/conspiracy-theories-run-rampant-due-to-piftsexe.html/


Zone Alram Forum thread about PIFTS:


http://forums.zonealarm.org/zonelabs/board/message?message.uid=443981#U443981

 

So the moderators were deleting any reference to PIFTS.exe trying to connect out through users' firewalls?

http://forums.zonealarm.org/zonelab...Off-Topic&message.id=19880&page=1&format=page

Noone knows what the file is, but people are even more frustrated that their posts asking about it, are being deleted?

That's some strange stuff going on. Read the comments in hawki's first link. Nothing might be out of the ordinary, but surely the support staff/moderators could be helpful and shed some light on what is happening.

This one has a few more comments: http://answers.yahoo.com/question/index?qid=20090309204126AAGTEsK

 

Has this PIFTS.exe problem just been added through a "normal" update or has it been added in the new version 16.5? Anyone know? I know some ppl who are using NIS2009 but they're still on version 16.2.0.7 - I understand Symantec are gradually rolling out the new version.

 

Hmm..
They've removed every post with regards to this PIFTS.EXE file in the Norton Community Forums.

I smell something fishy...

 

There is at least one report on the net it came through the normal update:



"I'm starting to wonder if Norton might actually be in on this thing. If you look for a directory similar to C:\WINNT\Temp (or similar depending on your OS) you may find a .txt file which contains a line of information starting with: "the ping url is http://stats.norton.com/n/p?module=..." this smells fishy to me. The text file will have a name similiar to Norton_PIFTS [Date] [Time my machine was apparently last rebooted].log

PIFTS.exe appears to have been pulled in via LiveUpdate back on 3/4 on my machine. On 3/9 Live Update brought in another ZIP file with a long name ending in jtun_pifts.zip.full. Hovering over it from a search screen indicates that it is" No Zip file, bad Zip file, or part of a spanned ZIP file." In the least case, it seems like Norton is trying to get information sent back to itself. This information disappearing from blogs on their own site....hmmmmm. Until they come clean on this, I'll be denying access to this program and probably uninstalling Norton - at least until this is cleared up.You want to be able to trust the company that we're paying for to keep us protected, yes?"

http://answers.yahoo.com/question/index?qid=20090309204126AAGTEsK

 

When checking the IP some posters have reported, PIFTS.exe is connecting to an IP belonging to the company SWAPDRIVE which has been purchased by Symantec last year.
SWAPDRIVE offered online backup services.
However, those posters mentioned PIFTS.exe connecting to stats.norton.com.
Not sure what to make of this.
Funny things going on at Symantec nowadays; folks paying $100 for superduper tech support that uses MBAM and tells users it's a Norton product.
Bleh, finally some proper consumer products and now this...

 

An incident handler with the SANS Internet Storm Center, has updated his former post on the matter:

"I just had a phone call from a Symantec employee confirming the program is theirs, part of the update process and not intended to do harm, more to follow, stay tuned."

http://isc.sans.org/diary.html?storyid=5992

 

Here is my best guess:
https://www.wilderssecurity.com/showthread.php?t=222367

Symantec has been conjuring grand dreams of in-the-cloud-bull-sh*t as stated clearly in the article.
337, your theory may be true.

 

Thanks for the link Vijayind. A supposedly benevolent Eye of Sauron?

 

See this ThreatExpert report:
http://www.threatexpert.com/report.aspx?md5=91b564d825a3487ae5b5fafe57260810

The file connects to stats.norton.com

 

Thought this was interesting from the link in a previous post.....

"WARNING:

We've been sent an example of a web page targeting the term "PIFTS.exe" along with other popular search terms that lead to obfuscated javascript that leads in turn to actual malware.

Take care if you search for this: you might find the bad guys out there taking advantage of our interest in PIFTS.exe already.

At the time of writing the page we were notified about was not (anymore?) indexed in google, but YMMV".

I actually did a google search for PIFTS.exe before I started this thread and clicked on the first result found. As soon as I did, it went to a page and started downloading "something" - I use NIS2009 on my laptop which I was using at the time and it informed me it had blocked trojan JS.Downloader. First time I've been fooled like that!

Perhaps thats what the intention was of all those dodgy posts on their forum - they knew the first thing most ppl would do was to go and google the file name!

 

Or it could be a anomaly in THE MATRIX due to which sentient "Agent" program accidentally revealed the location of Machine City and Deus Ex Machina.

( I hope that was witty at some level ... )

 

http://voices.washingtonpost.com/securityfix/2009/03/symantec_users_complain_of_mys.html

It is always critical if forum starts with rough censorship, the same @sysinternals if you talk about "S" Phantom.
S is also a hidden driver in procexp if you start procexp within a windows boot cd environment furthermore microsoft
used S for Messenger user information some times ago in HKCR\S. Try to talk about @sysinternals, they erase everything.

 

Hi

Call Me Crazy, Paranoid.. Whatever You Like!

But I Swear To God...
Even though I uninstalled NIS 09 a month ago - Uninstalled, NRT, Left Over Folders Deleted etc.
I'm sure NIS 09 still tries to connect to my laptop every day

Once I had uninstalled NIS 09 a month ago... My laptop has been starting up completely differently.
No dodgy Start Ups every other day .. No Black Screens .. Happy!

However!
I've still been noticing strange little habits that I always associated with NIS 09
Things like my Wireless dropping from 99% to 80% just once a day for approx 1 minute.
Thinking to myself... " Get a grip girl "
Then came one day last week
I think it was the 3rd or 4th of March
I Turned On My Laptop - & -
For the first time in a month ( Since Killing - NIS 09 ) .. It was having a really dodgy Start Up.
Finally Got The Laptop On.
I decided to use CCleaner to clean my Windows Temp Files.
But then my laptop wouldn't Start Up at all

3rd Time Lucky ... I got the laptop Started Up .. & .. Was back to normal

But what did I find out later that day?
It was the day all the NIS 09 people had been updated with the Ask Toolbar.

Paranoid I Know! ... OR ... Am I?

 

Keep in mind that security software is always a risk if the company is not sincere or work together with government!

Also think about that most security companies use the weapons of malware to fight malware, they fight fire with fire.
In the end you are not more able to see the difference between black or white hats.

 

I just checked out the Norton forums, and was surprised to see a post asking what pifts.exe is. But after refreshing the page, it was gone. Deleting posts is not going to make this go away. It looks like by now they'd come up with some sort of explanation. The longer this goes on, the more I'm considering whether or not I want to keep NIS 2009 installed on my machines.

 

lol keep posting the question over and over again. we should all post it. for days even till they respond.. i want answers.

 

Funny, they haven't manage to delete this one yet http://community.norton.com/norton/...orton_mac&message.id=253&query.id=241317#M253

 

IMO, a much better option would be to mail bomb this guy with all your questions and feedback.

John Thompson (CEO, Symantec)
jwthompson@symantec.com

 

And here I was defending Norton for awhile when they were being blasted over the ASK thing. If this thing isn't meant to cause trouble or can't cause trouble, as the Symantec employee told SANS, then why the hell are they deleting forum posts about it left and right, unless they are curse-filled insulting posts? I swear, between the chat issue and now this, Norton has a gas leak somewhere and have no idea their IQs have dropped 100 points, or they are TRYING to get attention.

Unless I get some straight-shooting answers soon, and fixes if there are problems, I'm not going near them and will tell others to stay away also. I hate doing that when I don't have any TRUE proof of bad intentions, but hey, they are really handling this badly. If they screwed up someplace and this causes security issues, the absolute best thing they could do is admit to it and get to work, not delete all mentions and work quietly in the background while users wonder what in Gods name is wrong.