.com_kaspersky_iswift_journal in root

Discussion in 'OS X Yosemite (10.10)' started by macmacmacr, Apr 26, 2016.

  1. macmacmacr macrumors member

    Joined:
    Dec 23, 2014
    #1
    I have a file called ".com_kaspersky_iswift_journal" located in my root directory. I have removed all components of Kaspersky and delete the file from root but when I restart after shutdown it reappears.

    I am running Yosemite.

    How can I stop this file from appearing and where is it being generated?
     
  2. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #2
    It sounds like you did not completely uninstall Kaspersky and that file is getting created when Kaspersky launches.

    Install the app Etrecheck and run it to create an anonymized report that will show all launch and startup items. Post that report here and we can help you figure out what you missed.
     
  3. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #3
    I have completedly removed all files from Kaspersky. I performed a search for all files named *kasper* and manually removed all entries. after reboot the file is recreated after deletion.

    I am looking to identify what is creating the file. I will no be using any unknown applications to remove a Kaspersky file because I dont even see any support information for this problem on Kaspersky site.
     
  4. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #4
    Searching for kasper in your case does not necessarily remove the entire application. There may be something called by another name that is launching the app that is creating that file.

    Etrecheck is not an app removal program, it will simply create a report showing all launch and login items so we can see what is launching and creating that file. For example, there can be launch items in any of the folders below and Etrecheck will list those items so we can look it over.

    Etrecheck is a well known troubleshooting utility in the Mac community and is safe to use. You can search this forum for many examples of that it does.

    ~/Library/LaunchAgents
    /Library/LaunchAgents
    /Library/LaunchDaemons
    /Library/StartupItems
     
  5. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #5
    Thanks but I have been using the Mac OS buit in utility like execsnoop and open snoop. This file is strange a process maintains access even when I place it in the garbage. However I can't identify the process when I try to empty the trash by performing ps-ef| grep name of the process that won't delete. It also appears that some of the processes shown in execsnoop don't appear in Activity monitor. The PID processes are higher than Activity monitor processes like "xpcproxy"
     
  6. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #6
    You've come here asking but help but aren't doing what's needed to give you that help. Obviously what you've been doing isn't working to solve this problem, so why not try what's suggested above? EtreCheck doesn't do anything aside from list all the startup processes on your computer. For a situation like this it makes it a lot easier to try troubleshooting a computer that isn't accessible by us, the forum readers.
    Have you tried simply running the Kaspersky uninstaller? I assume you manually removed components. http://support.kaspersky.com/us/11531 http://support.kaspersky.com/8366
    It looks like you will need to find the proper uninstaller for the version you had on the computer.
     
  7. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #7
    Is anyone familiar with starting opensnoop or another equivalent process monitoring application from boot up of a yosemite Mac?

    When I monitor the .com_kaspersky file I see the following using opensnoop -f .com_kaspersky_iswift_journal
    dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 6 (ID 947: syscall::eek:pen_nocancel:return): invalid user access in predicate at DIF offset 164
    dtrace: error on enabled probe ID 5 (ID 161: syscall::eek:pen:return): invalid user access in predicate at DIF offset 164
    --- Post Merged, May 2, 2016 ---
    The uninstall stie that you suggest has a discrepnecy. When the uninstall is unzip the program is a .app and not a .dmg as the document suggests. So I id not install.
     
  8. chrfr, May 3, 2016
    Last edited: May 3, 2016

    chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #8
    This is not a useful means of finding the source of your file.

    It's Kaspersky's uninstaller. If you aren't going to follow any of the troubleshooting steps that have been offered, there's no point in continuing this thread.
    If you'd like to be more sure of the origins of Kaspersky's site, you can use https to access the files:
    https://support.kaspersky.com/us/11531
    https://support.kaspersky.com/8366
    Look in the 4 directories listed at the bottom of post #4 and provide us the listing of the files that are in there. Do the same for /Library/Extensions.
     
  9. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #9
    Before rebooting I deleted the file .com_kaspersky_iswift_journal file and then bootedd into safe mode. The file .com_kaspersky_iswift_journal reappeared hien in the root directory in safe mode (hold down left shift) when only operating system essentials should be operational.
    --- Post Merged, May 3, 2016 ---
    The startup directory is empty
    Launchdaemons:
    com.hanynet.icefloor.plist org.virtualbox.startup.plist
    net.tunnelblick.tunnelblick.tunnelblickd.plist org.wireshark.ChmodBPF.plist org.gpgtools.gpgmail.patch-uuid.plist

    Lauunchagents:
    AVerQuick.plist org.gpgtools.gpgmail.updater.plist
    org.gpgtools.Libmacgpg.xpc.plist org.gpgtools.macgpg2.fix.plist
    org.gpgtools.gpgmail.enable-bundles.plist org.gpgtools.macgpg2.shutdown-gpg-agent.plist
    org.gpgtools.gpgmail.patch-uuid-user.plist org.gpgtools.macgpg2.updater.plist
     
  10. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #10
    Yes, and so far you continue to guess - unsuccessfully.
    EtreCheck (suggested several times already :D ) is a good method that can help pin down potential files that may be creating your mystery file.
    chfr, at the end of post #8 shows a good step that might actually help.
    --- Post Merged, May 3, 2016 ---
    Be sure to also check in ALL locations that have listings lfor Launch daemons, and launch agents. There will be at least two sets of those two folders, One in the /Library, and one in your home folder/Library.
    Etrecheck will list all locations for those at one time, making your search more convenient - and will be easier to figure out than the 'untabbed' list that you posted above.
    Good luck!
     
  11. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #11
    Assuming of course that the file was not recreated before you rebooted. If there is no launch agent or daemon, then the problem is likely caused by a kernel extension. Either you download EtreCheck and let us have a look, or you resolve it yourself.

    This is also clearly a problem caused by Kaspersky, so the prudent decision to make would be to follow that developer’s manual and use the provided tools to uninstall the software completely. I do not understand why you are so hesitant about it, given that you installed their software in the first place.
     
  12. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #12
    I found the solution using only the built in O.S. commands

    Perform the following
    kextstat|grep -v com.apple

    My Mac shows the following

    Index Refs Address Size Wired Name (Version) <Linked Against>
    119 0 0xffffff7f80c08000 0x14000 0x14000 com.kaspersky.kext.klif (3.0.6a46) <16 5 4 3 1>
    122 0 0xffffff7f80b9e000 0x5c000 0x5c000 com.kaspersky.nke (2.1.2a6) <49 7 5 4 3 1>

    134 3 0xffffff7f82ae4000 0x63000 0x63000 org.virtualbox.kext.VBoxDrv (5.0.20) <7 5 4 3 1>
    141 0 0xffffff7f82b47000 0x8000 0x8000 org.virtualbox.kext.VBoxUSB (5.0.20) <134 110 38 7 5 4 3 1>
    142 0 0xffffff7f82b4f000 0x5000 0x5000 org.virtualbox.kext.VBoxNetFlt (5.0.20) <134 7 5 4 3 1>
    143 0 0xffffff7f82b54000 0x6000 0x6000 org.virtualbox.kext.VBoxNetAdp (5.0.20) <134 5 4 1>

    To remove the kaspersky components from your Mac perform the following

    sudo kextunload -b "kernal name"

    My example
    sudo kextunload -b com.kaspersky.kext.klif
    sudo kextunload -b com.kaspersky.nke


    This will remove the kernel portion an prevent the problem of the hidden file reappearing on boot up.

    Warning.

    You should remove any files containing "kaspersky" and "kav" on your system. I was surprised that a "kav" binary exeisted in the Macs OS /usr/bin files. Kaspersky should not of placed binaary into the Mac OS's binary location.

    I found the kaspersky uninstall application were not recognize by Mac OS as being a recognized installed application. So I would not use the kaspersky uninstall application
     
  13. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #13
    Had you run the Etrecheck report two weeks ago, it would have showed those kexts in the report just like the Etrecheck report in this post. Then we would have directed you to remove the kaspersky kexts from the folder /System/Library/Extensions/ and you would have been done.
     
  14. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
  15. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #15
    Got it. 2 addional file must be deleted.

    klnke.kext

    klif.kext
     
  16. macmacmacr thread starter macrumors member

    Joined:
    Dec 23, 2014
    #16
    I believe this may be malware. The application TOR on my Yosemite Mac no longer automatically updates to the next new version. I tried to prevent it from automatically upating but could not stop TOR from updating.

    Now the automatic update does not occur.
     

Share This Page