Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

macmacmacr

macrumors regular
Original poster
Dec 23, 2014
152
5
I have a file called ".com_kaspersky_iswift_journal" located in my root directory. I have removed all components of Kaspersky and delete the file from root but when I restart after shutdown it reappears.

I am running Yosemite.

How can I stop this file from appearing and where is it being generated?
 
It sounds like you did not completely uninstall Kaspersky and that file is getting created when Kaspersky launches.

Install the app Etrecheck and run it to create an anonymized report that will show all launch and startup items. Post that report here and we can help you figure out what you missed.
 
It sounds like you did not completely uninstall Kaspersky and that file is getting created when Kaspersky launches.

Install the app Etrecheck and run it to create an anonymized report that will show all launch and startup items. Post that report here and we can help you figure out what you missed.
I have completedly removed all files from Kaspersky. I performed a search for all files named *kasper* and manually removed all entries. after reboot the file is recreated after deletion.

I am looking to identify what is creating the file. I will no be using any unknown applications to remove a Kaspersky file because I dont even see any support information for this problem on Kaspersky site.
 
I have completedly removed all files from Kaspersky. I performed a search for all files named *kasper* and manually removed all entries. after reboot the file is recreated after deletion.

I am looking to identify what is creating the file. I will no be using any unknown applications to remove a Kaspersky file because I dont even see any support information for this problem on Kaspersky site.
Searching for kasper in your case does not necessarily remove the entire application. There may be something called by another name that is launching the app that is creating that file.

Etrecheck is not an app removal program, it will simply create a report showing all launch and login items so we can see what is launching and creating that file. For example, there can be launch items in any of the folders below and Etrecheck will list those items so we can look it over.

Etrecheck is a well known troubleshooting utility in the Mac community and is safe to use. You can search this forum for many examples of that it does.

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems
 
  • Like
Reactions: CoastalOR
Searching for kasper in your case does not necessarily remove the entire application. There may be something called by another name that is launching the app that is creating that file.

Etrecheck is not an app removal program, it will simply create a report showing all launch and login items so we can see what is launching and creating that file. For example, there can be launch items in any of the folders below and Etrecheck will list those items so we can look it over.

Etrecheck is a well known troubleshooting utility in the Mac community and is safe to use. You can search this forum for many examples of that it does.

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems
Thanks but I have been using the Mac OS buit in utility like execsnoop and open snoop. This file is strange a process maintains access even when I place it in the garbage. However I can't identify the process when I try to empty the trash by performing ps-ef| grep name of the process that won't delete. It also appears that some of the processes shown in execsnoop don't appear in Activity monitor. The PID processes are higher than Activity monitor processes like "xpcproxy"
 
Thanks but I have been using the Mac OS buit in utility like execsnoop and open snoop. This file is strange a process maintains access even when I place it in the garbage. However I can't identify the process when I try to empty the trash by performing ps-ef| grep name of the process that won't delete. It also appears that some of the processes shown in execsnoop don't appear in Activity monitor. The PID processes are higher than Activity monitor processes like "xpcproxy"
You've come here asking but help but aren't doing what's needed to give you that help. Obviously what you've been doing isn't working to solve this problem, so why not try what's suggested above? EtreCheck doesn't do anything aside from list all the startup processes on your computer. For a situation like this it makes it a lot easier to try troubleshooting a computer that isn't accessible by us, the forum readers.
Have you tried simply running the Kaspersky uninstaller? I assume you manually removed components. http://support.kaspersky.com/us/11531 http://support.kaspersky.com/8366
It looks like you will need to find the proper uninstaller for the version you had on the computer.
 
Is anyone familiar with starting opensnoop or another equivalent process monitoring application from boot up of a yosemite Mac?

When I monitor the .com_kaspersky file I see the following using opensnoop -f .com_kaspersky_iswift_journal
dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
[doublepost=1462244269][/doublepost]
You've come here asking but help but aren't doing what's needed to give you that help. Obviously what you've been doing isn't working to solve this problem, so why not try what's suggested above? EtreCheck doesn't do anything aside from list all the startup processes on your computer. For a situation like this it makes it a lot easier to try troubleshooting a computer that isn't accessible by us, the forum readers.
Have you tried simply running the Kaspersky uninstaller? I assume you manually removed components. http://support.kaspersky.com/us/11531 http://support.kaspersky.com/8366
It looks like you will need to find the proper uninstaller for the version you had on the computer.
The uninstall stie that you suggest has a discrepnecy. When the uninstall is unzip the program is a .app and not a .dmg as the document suggests. So I id not install.
 
Is anyone familiar with starting opensnoop or another equivalent process monitoring application from boot up of a yosemite Mac?
This is not a useful means of finding the source of your file.

The uninstall stie that you suggest has a discrepnecy. When the uninstall is unzip the program is a .app and not a .dmg as the document suggests. So I id not install.
It's Kaspersky's uninstaller. If you aren't going to follow any of the troubleshooting steps that have been offered, there's no point in continuing this thread.
If you'd like to be more sure of the origins of Kaspersky's site, you can use https to access the files:
https://support.kaspersky.com/us/11531
https://support.kaspersky.com/8366
Look in the 4 directories listed at the bottom of post #4 and provide us the listing of the files that are in there. Do the same for /Library/Extensions.
 
Last edited:
Before rebooting I deleted the file .com_kaspersky_iswift_journal file and then bootedd into safe mode. The file .com_kaspersky_iswift_journal reappeared hien in the root directory in safe mode (hold down left shift) when only operating system essentials should be operational.
[doublepost=1462309838][/doublepost]
This is not a useful means of finding the source of your file.


It's Kaspersky's uninstaller. If you aren't going to follow any of the troubleshooting steps that have been offered, there's no point in continuing this thread.
If you'd like to be more sure of the origins of Kaspersky's site, you can use https to access the files:
https://support.kaspersky.com/us/11531
https://support.kaspersky.com/8366
Look in the 4 directories listed at the bottom of post #4 and provide us the listing of the files that are in there. Do the same for /Library/Extensions.
This is not a useful means of finding the source of your file.


It's Kaspersky's uninstaller. If you aren't going to follow any of the troubleshooting steps that have been offered, there's no point in continuing this thread.
If you'd like to be more sure of the origins of Kaspersky's site, you can use https to access the files:
https://support.kaspersky.com/us/11531
https://support.kaspersky.com/8366
Look in the 4 directories listed at the bottom of post #4 and provide us the listing of the files that are in there. Do the same for /Library/Extensions.
The startup directory is empty
Launchdaemons:
com.hanynet.icefloor.plist org.virtualbox.startup.plist
net.tunnelblick.tunnelblick.tunnelblickd.plist org.wireshark.ChmodBPF.plist org.gpgtools.gpgmail.patch-uuid.plist

Lauunchagents:
AVerQuick.plist org.gpgtools.gpgmail.updater.plist
org.gpgtools.Libmacgpg.xpc.plist org.gpgtools.macgpg2.fix.plist
org.gpgtools.gpgmail.enable-bundles.plist org.gpgtools.macgpg2.shutdown-gpg-agent.plist
org.gpgtools.gpgmail.patch-uuid-user.plist org.gpgtools.macgpg2.updater.plist
 
Yes, and so far you continue to guess - unsuccessfully.
EtreCheck (suggested several times already :D ) is a good method that can help pin down potential files that may be creating your mystery file.
chfr, at the end of post #8 shows a good step that might actually help.
[doublepost=1462311613][/doublepost]Be sure to also check in ALL locations that have listings lfor Launch daemons, and launch agents. There will be at least two sets of those two folders, One in the /Library, and one in your home folder/Library.
Etrecheck will list all locations for those at one time, making your search more convenient - and will be easier to figure out than the 'untabbed' list that you posted above.
Good luck!
 
  • Like
Reactions: Weaselboy
Before rebooting I deleted the file .com_kaspersky_iswift_journal file and then bootedd into safe mode.

Assuming of course that the file was not recreated before you rebooted. If there is no launch agent or daemon, then the problem is likely caused by a kernel extension. Either you download EtreCheck and let us have a look, or you resolve it yourself.

This is also clearly a problem caused by Kaspersky, so the prudent decision to make would be to follow that developer’s manual and use the provided tools to uninstall the software completely. I do not understand why you are so hesitant about it, given that you installed their software in the first place.
 
  • Like
Reactions: Weaselboy
I found the solution using only the built in O.S. commands

Perform the following
kextstat|grep -v com.apple

My Mac shows the following

Index Refs Address Size Wired Name (Version) <Linked Against>
119 0 0xffffff7f80c08000 0x14000 0x14000 com.kaspersky.kext.klif (3.0.6a46) <16 5 4 3 1>
122 0 0xffffff7f80b9e000 0x5c000 0x5c000 com.kaspersky.nke (2.1.2a6) <49 7 5 4 3 1>

134 3 0xffffff7f82ae4000 0x63000 0x63000 org.virtualbox.kext.VBoxDrv (5.0.20) <7 5 4 3 1>
141 0 0xffffff7f82b47000 0x8000 0x8000 org.virtualbox.kext.VBoxUSB (5.0.20) <134 110 38 7 5 4 3 1>
142 0 0xffffff7f82b4f000 0x5000 0x5000 org.virtualbox.kext.VBoxNetFlt (5.0.20) <134 7 5 4 3 1>
143 0 0xffffff7f82b54000 0x6000 0x6000 org.virtualbox.kext.VBoxNetAdp (5.0.20) <134 5 4 1>

To remove the kaspersky components from your Mac perform the following

sudo kextunload -b "kernal name"

My example
sudo kextunload -b com.kaspersky.kext.klif
sudo kextunload -b com.kaspersky.nke


This will remove the kernel portion an prevent the problem of the hidden file reappearing on boot up.

Warning.

You should remove any files containing "kaspersky" and "kav" on your system. I was surprised that a "kav" binary exeisted in the Macs OS /usr/bin files. Kaspersky should not of placed binaary into the Mac OS's binary location.

I found the kaspersky uninstall application were not recognize by Mac OS as being a recognized installed application. So I would not use the kaspersky uninstall application
 
I found the solution using only the built in O.S. commands

Had you run the Etrecheck report two weeks ago, it would have showed those kexts in the report just like the Etrecheck report in this post. Then we would have directed you to remove the kaspersky kexts from the folder /System/Library/Extensions/ and you would have been done.
 
  • Like
Reactions: KALLT and chrfr
I believe this may be malware. The application TOR on my Yosemite Mac no longer automatically updates to the next new version. I tried to prevent it from automatically upating but could not stop TOR from updating.

Now the automatic update does not occur.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.