Pastebin

Paste #3562: The Windows XP spy machine - CCleaner Cache Exposed

< previous paste - next paste>

Pasted by Anonymous Coward

Download View as text 

The Windows XP spy machine - CCleaner Cache Exposed


Here it is folks - the Windows XP spy machine - CCleaner_Cache_Exposed


Windows XP Hidden Cache (Updated)



This was a copy taken from modified CCleaner
registry , if installed you can find it within
HKEY_CURRENT_USERSoftwarePiriformCCleaner
using regedit.exe from C:WINDOWS

Owner = whatever user name you have. Mine is “Owner”

Note ; Mozilla “.default” ID censored due
to security. The full path remains exposed.
Every Mozilla Firefox user has a different
.default ID, so consider it xxxxxxxx.default
- the paths shown is what you need to know.

C:\Program Files\Mozilla Firefox\
updater.exe"C:\Program Files\Mozilla Firefox\
updater.ini"C:\Program Files\Mozilla Firefox\
update.locale"C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\
brndlog.bak"C:\Documents and Settings\Default User\Application Data\Microsoft\Internet Explorer\
brndlog.txt"C:\Documents and Settings\Default User\Cookies\
index.dat"C:\Documents and Settings\Default User\Local Settings\
History"C:\Documents and Settings\Default User\Local Settings\History\History.IE5\
*.*"C:\Documents and Settings\Default User\Local Settings\Temp\
*.*"C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\
*.*"C:\Documents and Settings\Default User\NetHood\
*.*"C:\Documents and Settings\Default User\Cookies\
*.*"C:\Documents and Settings\Owner\Recent\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\OfflineCache\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\
*.*"C:\Program Files\Mozilla Firefox\components\
nsSessionStore.js"C:\Program Files\Mozilla Firefox\components\
aboutSessionRestore.js"C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds\
*.*"C:\Documents and Settings\Owner\Application Data\Microsoft\CryptnetUrlCache\
*.*"C:\Documents and Settings\All Users\Application Data\MFAData\
*.*"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\bookmarkbackups\
*.*"C:\Documents and Settings\Owner\Favorites\Microsoft Websites\
*.*"C:\Documents and Settings\All Users\Application Data\Microsoft\HTML Help\
*.*"C:\Documents and Settings\All Users\Application Data\Microsoft\MSDAIPP\
*.*"C:\Documents and Settings\Default User\Recent\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\OfflineCache\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\
*.*"C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\
*.*"C:\Program Files\Mozilla Firefox\searchplugins\
*.*"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\
extensions.cache"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\
cookies.sqlite"C:\Program Files\Mozilla Firefox\components\
nsUpdateService.js"C:\Program Files\Mozilla Firefox\components\
nsUrlClassifierLib.js"C:\Program Files\Mozilla Firefox\components\
nsUrlClassifierListManager.js"C:\Documents and Settings\Owner\Local Settings\Temp\
*.*"C:\Documents and Settings\Owner\
avgui.log"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\
XPC.mfl"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\
XUL.mfl"C:\Program Files\Mozilla Firefox\components\
nsFormAutoComplete.js"C:\Program Files\Mozilla Firefox\components\
GPSDGeolocationProvider.js"C:\Program Files\Mozilla Firefox\components\
nsPlacesAutoComplete.js"C:\Documents and Settings\Owner\Application Data\.purple\logs\
*.*"C:\Documents and Settings\Default User\Templates\
*.*"C:\Documents and Settings\Owner\
.recently-used.xbel"C:\Documents and Settings\Owner\Local Settings\Temp\
~DF2AA8.tmp"C:\Documents and Settings\Owner\Local Settings\Temp\
nss61.tmp"C:\Documents and Settings\Owner\Local Settings\Temp\nsx62.tmp\
i"C:\Documents and Settings\Owner\Local Settings\Temp\nsx62.tmp\
D"C:\Program Files\Mozilla Firefox\extensions\
*.*"C:\Program Files\Mozilla Firefox\chrome\
pippki.jar"C:\Program Files\Mozilla Firefox\chrome\
pippki.manifest"
C:\Documents and Settings\Owner\Local Settings\Temp\WER896d.dir00\"C:\Documents and Settings\Owner\Local Settings\Temp\
~DFD751.tmp"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\
urlclassifier3.sqlite"C:\Documents and Settings\Owner\Local Settings\Temp\WERe82a.dir00\
*.*"C:\Documents and Settings\Owner\Local Settings\Temp\WERec2d.dir00\
*.*"C:\Documents and Settings\All Users\Application Data\AVG2012\SetupBackup\
Emailsx.cab"C:\Documents and Settings\All Users\Application Data\AVG2012\SetupBackup\
*.*"C:\C:\WINDOWS\system32\
netdde.exe"C:\Documents and Settings\Owner\Application Data\Identities\{1F25A10D-203D-4411-9884-6CBBA98EB1EE}\
*.*"C:\Documents and Settings\Owner\Desktop\
wiaservc.dll"C:\Documents and Settings\Owner\Local Settings\Application Data\4kdownload.com\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\
IconCache.db"C:\Documents and Settings\Owner\Local Settings\Application Data\
GDIPFONTCACHEV1.DAT"C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Media Player\
*.*"C:\Documents and Settings\Owner\My Documents\SnowFox Total Video Converter\
*.*"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\
secmod.db"C:\Documents and Settings\Owner\Local Settings\Application Data\Xilisoft\Online Video Downloader\
*.*"C:\WINDOWS\l2schemas\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Infacta\GroupMail\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\MPlayer\
*.*"C:\Documents and Settings\All Users\Application Data\Microsoft\Media Player\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\
MSIMGSIZ.DAT"C:\Documents and Settings\Default User\Application Data\Microsoft\Media Player\
*.*"C:\WINDOWS\system32\
mnmsrvc.exe"C:\Documents and Settings\Owner\Application Data\SumatraPDF\
*.*"C:\Documents and Settings\Owner\IECompatCache\
*.*"C:\Documents and Settings\Owner\IETld\
*.*"C:\Documents and Settings\Owner\PrivacIE\
*.*"C:\Documents and Settings\Owner\Temporary Internet Files\
*.*"C:\Documents and Settings\Owner\Feeds Cache\Local Settings\Application Data\Microsoft\Feeds Cache\
*.*"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\
*.*"C:\Documents and Settings\NetworkService\Cookies\
*.*"C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\
*.*"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\
*.*"C:\Documents and Settings\Owner\Application Data\Microsoft\CryptnetUrlCache\MetaData\
*.*"C:\Documents and Settings\Owner\Application Data\Microsoft\CryptnetUrlCache\Content\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\OfflineCache\
*.*"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\bookmarkbackups\
*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\OfflineCache\
*.*"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\
extensions.cache"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\
cookies.sqlite"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\
XPC.mfl"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\
XUL.mfl"C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\████████.default\
urlclassifier3.sqlite"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\
secmod.db"C:\WINDOWS\inf\
iis.inf"C:\WINDOWS\inf\
iis.PNF"C:\Program Files\Internet Explorer\Connection Wizard\
phone.icw"C:\Program Files\Internet Explorer\Connection Wizard\
phone.ver"C:\Documents and Settings\Owner\Local Settings\Application Data\4Media\YouTube HD Video Converter\cache\
http*.*"C:\Documents and Settings\Owner\Local Settings\Application Data\4Media\
YouTube HD Video Converter*.*"C:\Program Files\Common Files\Microsoft Shared\web server extensions\
*.*"
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\webappsstore.sqlite"C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\HelpCtr\
*.*"C:\Documents and Settings\Owner\Application Data\Macromedia\
*.*"C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\
*.*"C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\
*.*"C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\macromedia.com\
*.*"C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\████████.default\
localstore.rdf"C:\WINDOWS\system32\Macromed\Flash\
*.*"C:\WINDOWS\system32\Macromed\Flash\
NPSWF32.dll"C:\Documents and Settings\Owner\Application Data\Adobe\
*.*"C:\Documents and Settings\Owner\Application Data\Adobe\Flash Player\AssetCache\
*.*"


Here it is folks - the Windows XP spy machine.

This list exposes where all the cookies are
stored, all the user history logs, web cache,
useless system cache, including where evercookie
is planted - EVERYTHING is here. Total exposé.

Alot of these files and cache paths will
re-generate too, so you need something like
CCleaner.exe to target and wipe this shit out
at the very least once per day.

And btw, those new systems are far worse!


- NOBODY



Tor Browser Cache


\Tor Browser\FirefoxPortable\App\Firefox\
removed-files"\Tor Browser\FirefoxPortable\App\Firefox\
updater.exe"\Tor Browser\FirefoxPortable\App\Firefox\
updater.ini"\Tor Browser\FirefoxPortable\App\Firefox\
update-settings.ini"\Tor Browser\FirefoxPortable\App\Firefox\searchplugins\
*.*"\Tor Browser\FirefoxPortable\Data\profile\
cookies.sqlite"\Tor Browser\FirefoxPortable\Data\profile\
cookies.sqlite-shm"\Tor Browser\FirefoxPortable\Data\profile\
cookies.sqlite-wal"\Tor Browser\FirefoxPortable\Data\profile\
formhistory.sqlite"\Tor Browser\FirefoxPortable\Data\profile\
places.sqlite-shm"\Tor Browser\FirefoxPortable\Data\profile\
places.sqlite"\Tor Browser\FirefoxPortable\Data\profile\
places.sqlite-wal"\Tor Browser\FirefoxPortable\Data\profile\bookmarkbackups\
*.*"\Tor Browser\FirefoxPortable\Data\profile\
signons.sqlite"\Tor Browser\FirefoxPortable\Data\profile\startupCache\
*.*"


Tor stinks?

http://cryptome.org/2013/10/nsa-tor-stinks.pdf

“Use cookies to identify Tor users when
they are not using Tor.”

“Investigate Evercookie persistence.”


Evercookie can be found within Windows systems
and can be wiped out here ;

C:Documents and SettingsOwnerApplication DataMacromedia


Here is evercookie.sol found from an old
bleach log.

C:Documents and SettingsOwnerApplication Data
MacromediaFlash Player#SharedObjectsED5YHQQU
bbcdn-bbnaut.ibillboard.comserver-static-files
bbnaut.swfevercookie.sol


- NOBODY


Pidgin OTR Hidden Logs in Linux System

Delete 4.1kB /home/User/.purple/logs/jabber/xxxxxxxxxx@hot-chilli.net/xxxxxxxx@hot-chilli.net/2015-01-02.110156-0700MST.html
Delete 4.1kB /home/User/.purple/logs/jabber/xxxxxxxxxx@hot-chilli.net/xxxxxxxx@hot-chilli.net/2015-01-08.192023-0700MST.html
Pidgin OTR-encrypted chat ... NOT so safe after all, it still logs you're chats ...

EVEN when you tell it not too. Here is where to bleach the logs:

Delete 4.1kB /home/User/.purple/logs/jabber/xxxxxxxxxx@hot-chilli.net/xxxxxxxx@hot-chilli.net/2015-01-14.122132-0700MST.html
Delete 4.1kB /home/User/.purple/logs/jabber/xxxxxxxxxx@hot-chilli.net/xxxxxxxx@hot-chilli.net/2015-01-16.198200-0700MST.html
Delete 8.2kB /home/User/.purple/logs/jabber/xxxxxxxxxx@hot-chilli.net/xxxxxxxx@hot-chilli.net/2015-01-17.170908-0700MST.html
Delete 4.1kB /home/User/.purple/logs/jabber/xxxxxxxxxx@hot-chilli.net/hot-chilli.net/2015-01-18.115805-0700MST.html
Delete 4.1kB /home/User/.purple/logs/jabber/xxxxxxxxxx@hot-chilli.net/xxxxxxxxx@hot-chilli.net
Delete 4.1kB /home/User/.purple/logs/jabber/xxxxxxxxxx@hot-chilli.net/hot-chilli.net

/User/ * this name depends on you're default user name.

- NOBODY



Tor Hidden Cache in Linux Systems

/Tor Browser/Browser/.local/share/
/Tor Browser/Browser/.local/share/gvfs-metadata/
/Tor Browser/Browser/TorBrowser/Data/Browser/profile.default/bookmarkbackups/
/Tor Browser/Browser/TorBrowser/Data/Browser/profile.default/cookies.sqlite
/Tor Browser/Browser/TorBrowser/Data/Browser/profile.default/formhistory.sqlite
/Tor Browser/Browser/TorBrowser/Data/Browser/profile.default/places.sqlite
/Tor Browser/Browser/TorBrowser/Data/Browser/profile.default/startupCache/
/Tor Browser/Browser/TorBrowser/Data/Browser/profile.default/webappsstore.sqlite

Read more at http://www.liveleak.com/view?i=3a2_1422235201#vjwgrTYipto6Vaxi.99

New Paste


Do not write anything in this field if you're a human.

Go to most recent paste.

Backed by:
PG Support
PostgreSQL Professional Services
DebianSupport
Debian Linux Support