At my wits end: unable to remove virus Trojan.GenericKD.71025853 from InstallerSandboxes directory
Mac Studio M1
Mac OS Ventura 13.6.3
Bitdefender 9.4.1.4
Hello,
Bitdefender found a virus which it cannot remove/quarantine and instructs the user to manually remove.
Bitdefender Report:
We identified a threat that needs to be manually removed.
Threat name: Trojan.GenericKD.71025853
Path: /Library/InstallerSandboxes/.PKInstallSandboxManager/DB631B72-5247-4751-8065-DEC981672912.activeSandbox/Root/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/Applications/MobileSlideShow.app/CPAnalyticsConfig-Photos.json
What I tried and did not remove the threat (confirmed by repeat Bitdefender scans)
• despite having administrator privileges and using "show hidden files" in Finder, I am unable to open the /Library/InstallerSandboxes/.PKInstallSandboxManager/ folder, and all efforts to unlock the folder via File → info which did not work despite the face I have read and write privileges.
• reboot
• reboot in safe mode
• reinstall Ventura
• clear all caches (using Clean My Mac)
•
I never access web sites which could be suspicious in any way, and I always have Bitdefender running.
Thanks very much for your time and help
Best Answer
-
Here are the steps to attempt manual removal:
- Disable System Integrity Protection (SIP) temporarily:
- Restart your Mac in Recovery Mode (hold Command + R during startup).
- Open Terminal from the Utilities menu.
- Type csrutil disable and press Enter.
- Restart your Mac normally.
- Atempt to delete the file:
- Open Finder and press Command + Shift + G.
- Paste the exact path to the file: /Library/InstallerSandboxes/.PKInstallSandboxManager/DB631B72-5247-4751-8065-DEC981672912.activeSandbox/Root/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/Applications/MobileSlideShow.app/CPAnalyticsConfig-Photos.json
- Right-click the file and select "Move to Trash."
- If prompted, enter your administrator password.
- Re-enable SIP:
- Repeat steps 1 and 2 from Recovery Mode, but use csrutil enable instead.
If manual removal fails, consider these additional measures:
- Reinstall Xcode: If the threat is associated with Xcode, reinstalling it might help.
- Restore from a backup: If you have a clean backup from before the infection, restore your system to eliminate the threat.
If issue persists, kindly contact Bitdefender support by visiting https://www.bitdefender.com/consumer/support/
Depending on the product you've selected and the issue you're facing, you can reach a support representative via email, chat, or phone.
If you choose email support, you will receive a ticket number in your registered email. Kindly generate and attach the following logs to the ticket for macOS:
Bitdefender BDsysLog for macOS: https://www.bitdefender.com/consumer/support/answer/11198/
Bitdefender BDProfiler log for macOS: https://www.bitdefender.com/consumer/support/answer/1863/
If the generated logs are larger than 25 MB, which is the attachment limit for most email vendors, you can upload the logs to https://upload.bitdefender.net/ and share the link with the support team.
Regards
Life happens, Coffee helps!
Show your Attitude, when you reach that Altitude!
Bitdefender Ultimate Security Plus (user)
1 - Disable System Integrity Protection (SIP) temporarily:
Answers
-
Thank you very much. I followed your excellent explanations, and can't understand why in recovery → terminal mode, neither of the two "authorized user" names are accepted, although I tried many time, checked the spelling and tried with and without quotes. Would you have an idea ?
Also, I tried so many times that I would like to be sure that SIP is indeed disabled. Is there a way to ascertain the status of SIP with a terminal command ?
thanks a million ! Your detailed and very intelligent explanations are greatly appreciated !!
0
