Help Please i need advice

Discussion in 'iPhone Tips, Help and Troubleshooting' started by Kris66, Sep 16, 2010.

  1. Kris66 macrumors newbie

    Joined:
    Sep 16, 2010
    #1
    Hi all sorry for the long first post but here goes

    i have found this log file on my 3gs that i bought secondhand
    and from the log it has been loading this from the day i turned it on
    the phone was not jailbroken when i got it, i did that some 6weeks later,
    i have read that keybag is a keylogger for the mac, i cant find the app on the phone just this log file
    has anyone come across anything like it on there phones?
    the file was in /private/var/logs
    any help would be appreciated

    this is the log i found

    Sat Jul 17 16:42:52 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sun Jul 18 07:41:08 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sun Jul 18 12:09:16 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sun Jul 18 13:05:36 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Thu Jul 22 08:30:16 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Fri Jul 23 19:43:35 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sat Jul 24 09:04:39 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sun Jul 25 10:04:47 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sun Jul 25 10:37:28 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Mon Jul 26 08:42:29 2010 pid=572 (0x381000) __handle_changepasscode_block_invoke_1: oldpass=NULL newpass=SECRET has blob
    Mon Jul 26 08:42:29 2010 pid=572 (0x381000) __handle_changepasscode_block_invoke_1: success
    Mon Jul 26 08:43:15 2010 pid=572 (0x381000) __handle_changepasscode_block_invoke_1: oldpass=SECRET newpass=SECRET has blob
    Mon Jul 26 08:43:15 2010 pid=572 (0x381000) __handle_changepasscode_block_invoke_1: success
    Mon Jul 26 13:37:09 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sat Jul 31 11:27:00 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sun Aug 1 03:27:20 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sun Aug 1 05:16:10 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Sun Aug 1 05:32:24 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Wed Aug 4 12:00:54 2010 pid=19 (0x3e7037c8) main: System Keybag loaded
    Tue Aug 10 12:34:39 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Tue Aug 10 13:00:46 2010 pid=147 (0x381000) __handle_changepasscode_block_invoke_1: oldpass=SECRET newpass=SECRET has blob
    Tue Aug 10 13:00:47 2010 pid=147 (0x381000) __handle_changepasscode_block_invoke_1: success
    Tue Aug 10 14:30:18 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Fri Aug 13 17:00:33 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Fri Aug 13 18:58:49 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Fri Aug 13 21:24:48 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Fri Aug 13 23:49:43 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Sat Aug 14 00:42:53 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Sun Aug 15 00:35:18 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Sun Aug 15 10:48:11 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Tue Aug 17 22:07:01 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Tue Aug 17 22:09:01 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Tue Aug 17 22:22:40 2010 pid=20 (0x3e7037c8) main: System Keybag loaded
    Wed Aug 18 15:53:20 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Wed Aug 18 16:12:28 2010 pid=35 (0x3e7037c8) main: System Keybag loaded
    Wed Aug 18 17:31:48 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Wed Aug 18 18:05:34 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Sat Aug 21 02:13:04 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Sat Aug 21 02:14:51 2010 pid=35 (0x3e7037c8) main: System Keybag loaded
    Sat Aug 21 17:51:30 2010 pid=35 (0x3e7037c8) main: System Keybag loaded
    Sat Aug 21 19:23:55 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
    Sun Aug 22 00:17:32 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
    Sun Aug 22 12:24:57 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
    Mon Aug 23 00:18:53 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Mon Aug 30 14:37:50 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Mon Sep 6 00:53:33 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Tue Sep 7 00:11:57 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Tue Sep 7 23:35:54 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Wed Sep 8 18:57:41 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Wed Sep 8 20:05:13 2010 pid=33 (0x3e7037c8) main: System Keybag loaded
    Wed Sep 8 20:07:35 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Wed Sep 8 20:12:35 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Wed Sep 8 20:26:27 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Thu Sep 9 17:29:45 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Fri Sep 10 14:03:23 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Fri Sep 10 14:09:36 2010 pid=37 (0x3e7037c8) main: System Keybag loaded
    Fri Sep 10 14:12:32 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Sat Sep 11 10:13:51 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Sat Sep 11 17:20:37 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
    Mon Sep 13 18:12:06 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Mon Sep 13 23:34:33 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
    Tue Sep 14 17:05:26 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
    Tue Sep 14 17:06:54 2010 pid=36 (0x3e7037c8) main: System Keybag loaded
    Tue Sep 14 17:20:41 2010 pid=34 (0x3e7037c8) main: System Keybag loaded
    Thu Sep 16 20:00:51 2010 pid=36 (0x3e7037c8) main: System Keybag loaded

    Regards Kris
     
  2. -aggie- macrumors P6

    -aggie-

    Joined:
    Jun 19, 2009
    Location:
    Where bunnies are welcome.
    #2
    Look for this file on your iPhone

    com.apple.mobile.keybagd.plist

    and post what is inside the file. Use a plist viewer (Property List Editor is one you can use).
     
  3. Kris66 thread starter macrumors newbie

    Joined:
    Sep 16, 2010
    #3
    Thanks for the reply Aggie
    this is what's in it

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>Label</key>
    <string>com.apple.mobile.keybagd</string>
    <key>MachServices</key>
    <dict>
    <key>com.apple.mobile.keybagd</key>
    <true/>
    </dict>
    <key>OnDemand</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
    <string>/usr/libexec/keybagd</string>
    <string>-t</string>
    <string>15</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    </dict>
    </plist>


    i have also noticed that when i change my password at the lockscreen it shows up in the log
    like this: 2010 pid=147 (0x381000) __handle_changepasscode_block_invoke_1: oldpass=SECRET newpass=SECRET has blob
     
  4. -aggie- macrumors P6

    -aggie-

    Joined:
    Jun 19, 2009
    Location:
    Where bunnies are welcome.
    #4
    I decided to check my own phone for this plist, and I had it. I also have the same log as you. Mine started on the day I bought the phone. Therefore, I don’t think this is anything to be concerned about and has nothing to do with the keybag mac software you found. It’s not a trojan.
     
  5. Kris66 thread starter macrumors newbie

    Joined:
    Sep 16, 2010
    #5
    Thanks Aggie
    That puts me at ease a little well the panic is over for now :D
     
  6. djfour macrumors newbie

    Joined:
    Oct 19, 2009
    #6
    Keybagd

    WTF is it? I have the same symptoms as described above. Any mods have a clue? Iphone 3g JB/UL
     

Share This Page