PIFTS.exe

[MililaniBuckeye]

Just got a Security Alert pop-up from my Symantec anti-virus program saying PIFTS.exe is trying to connect to a DNS server. The IP of the DNS is my local RoadRunner DNS server. The path of the PIFTS.exe file name shows as "C:\ProgramData\Symantec\LiveUpdate\Downloads\Updt 122\", but there is no "Updt122" folder. I also did a full disk search and the "PIFTS.exe" wasn't found.

There's virtually nothing on this via Google yet. Norton support forum did have a thread on this that started today which had numerous people asking about this (apparently this all started today) and now that thread has magically been deleted.

Any Norton/Symantec gurus here know WTF is going on? I'm not allowing PIFTS.exe to do [censored] until I get some answers from someone...

[BuckeyeMac]

lol 47 guests viewing the thread, I guess this must be up towards the top of google search results

[MililaniBuckeye]

Quote:

Originally Posted by BuckeyeMac

lol 47 guests viewing the thread, I guess this must be up towards the top of google search results

Actually, it's currently #8 out of all "PIFTS.exe" searches...

[Deety]

Quote:

Originally Posted by MililaniBuckeye

Actually, it's currently #8 out of all "PIFTS.exe" searches...

Pretty sure that makes you a suspect.

[MililaniBuckeye]

Quote:

Originally Posted by Deety

Pretty sure that makes you a suspect.

Pftftftft...you just now figured that out?

[jwinslow]

Re: PIFTS.exe - Windows and ZoneAlarm™ Messages and Alerts - ZoneAlarm User Forum

Quote:

I have NIS and it generated an alert about PIFTS.exe this morning. I Googled it and got no hits - ZERO. I went to the Norton community forums to ask if anyone else had encountered it and what to do and found that another user had asked the same question. I added mine and a number of others added theirs, then the thread was deleted. Another thread popped up. The first one was just people who were wondering what was going on, but the second thread was full of suspicions. When Norton deletes a thread which was full of totally legitimate and non-threatening questions you really have to start wondering and apparently many people did. That thread was deleted, too. And so has every other thread that I've been able to find. It appears that Norton/Symantec is trying to cover something up by deleting these threads and hoping we all get bored and go away.

So this evening I decided to try Google again and look at this: I now get hits. It looks like ZoneAlarm users are seeing the same alerts. Has anyone been able to get to the bottom of this? I never allow anything to go to the web until I know what it is. And this apparent cover-up is very disturbing.

Quote:

Even more interestingly now, after posting a single post asking about PIFTS.exe, which was deleted, and a subsequent post to another forum asking about the deleted posts, which got deleted, I've now been blocked from creating new posts or replies on the Norton forums. They really don't want to talk about whatever this was.

And doubly interesting -- or perhaps not, who knows -- not sure if this is standard practice at Symantic or what, but opening the PIFTS.exe in a hex editor shows a large section of the end of the file consists only of "PADDINGXX" repeated over and over. I've got some background in programming and can't think of a good reason why you would need padding like that on a legitimate executable. However, if an executable in an update has been compromised it may require padding such as that to match the original executable's file size or something. But that's just pointless conspiracy theorizing that likely has no basis. It would be nice though to hear from Norton about what the **bleep** this thing is.

Quote:

On my system the file is located inside what appears to be a downloaded update file from Symantec. Cocuments and SettingsAll UsersApplication DataSymantecLiveUpdateDownloads1236641345jtun_pift s.zip.full.zip (not sure if the filename itself is consistent between systems). So far it appears to be some sort of update to Norton, but with absolutely no explanation provided, and obviously some hush-up attempts on the Norton forums.

[MililaniBuckeye]

And now bogus sites are popping up disguising themselves as legit forums, appearing in Google search results. I clicked on one and got a Norton Antivirus notification that it blocked JS.Downloader and the page remained blank. When I went back to the Google results I looked at the text and sure enough it was broken English: "He met with great oppofition from the pa- pifts and anabaptifts in his ...... to fee his project for augmenting poor livings carried into exe- cution. ...". Right below that link was another one with [censored]ed up English in the description: "And heer again the Annals record them to befeige Exe- Sim. ...... 43. he is intreated by the Britans to head them againft the Pifts and Saxons, ibid, . ...". Both links were entitled "PIFTS EXE" and both pages were "pifts-exe"...they're taking advantage of the current confusion, enticing users to click their link so they can try to infect your PC.

[3074326]

Sounds like Norton has some explaining to do.

Pretty awesome customer service there. What good do they think they can get out of silencing the community?

[Dryden]

I just spent maybe 10 minutes looking at the Symantec/Norton forums and watched as threads re: PIFTS would pop up then be deleted within 60 seconds. There were dozens of them, until it devolved to the point where frustrated, angry people were clearly registering phony accounts and spamming PIFTS threads to the site to see how fast Symantec could delete them. The threads would literally show up three or four at time, and all be deleted after a couple of page refreshes.

It's really disconcerting, since we run Symantec Corporate at my company.

There are stories out there now, though:

Digg - What is PIFTS and why is Symantec covering it up?

Tech Fears Arise Over Norton and Pifts.exe, page 1

[BuckeyeMac]

Just looked at a few places really quick, a theory that keeps popping up is that this executable is logging information and sending it to a few places....lol Idk if it's true, but if so could it be a government watch system? lol

[Dryden]

Quote:

Originally Posted by BuckeyeMac

Just looked at a few places really quick, a theory that keeps popping up is that this executable is logging information and sending it to a few places....lol Idk if it's true, but if so could it be a government watch system? lol

I've read those suggestions too, but frankly that's just too tin foil hat/army black ops helicopters even for me, and I love a good conspiracy theory as much as the next guy.

My guess is somebody hacked/hijacked Symantec's Live Update content delivery system.

[Dryden]

59 guests and over 1,100 page views for this thread! LOL.

That's hysterical. I guess this is as good a place as any to caution all our guests about the story of Trey McNeil and Edfinancial.

[Dryden]

Norton's Forums are down.

/.'ed

Slashdot | Norton Users Worried By PIFTS.exe, Stonewalling By Symantec

[MililaniBuckeye]

What's funny is that my anti-virus software alerted me that it wanted to access the internet, basically saying "Hey, I'm trying to sneak something by you...will you let me?".

[Dryden]

Only Microsoft Windows would require users install a virus scanner for their virus scanner ...