Kindly be advised we cannot cancel subscriptions or issue refunds on the forum.
You may cancel your Bitdefender subscription from Bitdefender Central or by contacting Customer Support at: https://www.bitdefender.com/consumer/support/help/

Thank you for your understanding.

At my wits end: unable to remove virus Trojan.GenericKD.71025853 from InstallerSandboxes directory

Options
ron223
ron223
in Protection - Malware/ Firmware etc.

Mac Studio M1

Mac OS Ventura 13.6.3

Bitdefender 9.4.1.4


Hello,


Bitdefender found a virus which it cannot remove/quarantine and instructs the user to manually remove.


Bitdefender Report:

We identified a threat that needs to be manually removed.

Threat name: Trojan.GenericKD.71025853

Path: /Library/InstallerSandboxes/.PKInstallSandboxManager/DB631B72-5247-4751-8065-DEC981672912.activeSandbox/Root/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/Applications/MobileSlideShow.app/CPAnalyticsConfig-Photos.json


What I tried and did not remove the threat (confirmed by repeat Bitdefender scans)

• despite having administrator privileges and using "show hidden files" in Finder, I am unable to open the /Library/InstallerSandboxes/.PKInstallSandboxManager/ folder, and all efforts to unlock the folder via File → info which did not work despite the face I have read and write privileges.

• reboot

• reboot in safe mode

• reinstall Ventura

• clear all caches (using Clean My Mac)

I never access web sites which could be suspicious in any way, and I always have Bitdefender running.


Thanks very much for your time and help

Tagged:

Best Answer

  • Flexx
    Flexx DEFENDER OF THE YEAR 2023 / DEFENDER OF THE MONTH ✭✭✭✭✭ mod
    edited January 1 Answer ✓
    Options
    https://community.bitdefender.com/en/discussion/98317/at-my-wits-end-unable-to-remove-virus-trojan-generickd-71025853-from-installersandboxes-directory

    Here are the steps to attempt manual removal:


    1. Disable System Integrity Protection (SIP) temporarily:
      • Restart your Mac in Recovery Mode (hold Command + R during startup).
      • Open Terminal from the Utilities menu.
      • Type csrutil disable and press Enter.
      • Restart your Mac normally.
    2. Atempt to delete the file:
      • Open Finder and press Command + Shift + G.
      • Paste the exact path to the file: /Library/InstallerSandboxes/.PKInstallSandboxManager/DB631B72-5247-4751-8065-DEC981672912.activeSandbox/Root/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/Applications/MobileSlideShow.app/CPAnalyticsConfig-Photos.json
      • Right-click the file and select "Move to Trash."
      • If prompted, enter your administrator password.
    3. Re-enable SIP:
      • Repeat steps 1 and 2 from Recovery Mode, but use csrutil enable instead.


    If manual removal fails, consider these additional measures:

    • Reinstall Xcode: If the threat is associated with Xcode, reinstalling it might help.
    • Restore from a backup: If you have a clean backup from before the infection, restore your system to eliminate the threat.


    If issue persists, kindly contact Bitdefender support by visiting https://www.bitdefender.com/consumer/support/

    Depending on the product you've selected and the issue you're facing, you can reach a support representative via email, chat, or phone.

    If you choose email support, you will receive a ticket number in your registered email. Kindly generate and attach the following logs to the ticket for macOS:

    Bitdefender BDsysLog for macOS: https://www.bitdefender.com/consumer/support/answer/11198/

    Bitdefender BDProfiler log for macOS: https://www.bitdefender.com/consumer/support/answer/1863/

    If the generated logs are larger than 25 MB, which is the attachment limit for most email vendors, you can upload the logs to https://upload.bitdefender.net/ and share the link with the support team.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

Answers

  • ron223
    ron223
    Options

    Thank you very much. I followed your excellent explanations, and can't understand why in recovery → terminal mode, neither of the two "authorized user" names are accepted, although I tried many time, checked the spelling and tried with and without quotes. Would you have an idea ?

    Also, I tried so many times that I would like to be sure that SIP is indeed disabled. Is there a way to ascertain the status of SIP with a terminal command ?

    thanks a million ! Your detailed and very intelligent explanations are greatly appreciated !!

  • ron223
    ron223
    Options

    @Flexx

    thanks again very much for your most instructive and well written answer.

    As soon as I disabled the SIP and rebooted Bitdefender put the file in quarantine where I deleted it (not via Finder).

    Thank you very much. I am very grateful for your help.

All Time Leaders

Categories

Defenders of the month