Previous 1 2 Next 18 Replies Latest reply: Dec 18, 2008 6:08 AM by Dearon16
hannehanne Level 1 (0 points)
I installed Hotspot Shield which seems widely recommended for wifi security.

Apart from doubts that it really increases your security -- even if channels traffic through a vpn connection, why would I want to route my traffic through a server I know nothing about?? -- there is now an even greater concern: I am not able to uninstall it. I have no idea what this software is doing, where is it installed, which bits are still working and so on.

The situation is this. Hotspot Shield gets installed in the /Applications folder. If user connects to internet, there appears a banner at the top of the browser page. One can click on the banner and create a vpn channel to a remote server.

Uninstall: Hotspot says one has to remove the "/Applications/Hotspot Shield" folder. I did that. But the banner keeps appearing. This banner is code snippet, in javascript, that is inserted at the beginning of EVERY html page that your browser (firefox, safari) retrieves. Both firefox and safari are affected; also, when I switch to another user (under whose account I have never used Hotspot connection), then the banner appears. This seems to imply that Hotspot installation is not contained only in the "/Applications/Hotspot Shield" folder or user preferences, the system folders are affected -- something that is unacceptable.

Hotspot webforum seems closed; I could not post a question there. A google search is useless as regards uninstalling or removing.

Does anyone have experience with this? Any suggestions about how to successfully remove this software?

Thanks, Hanne


MB 13, Mac OS X (10.5.4)
  • Tim Haigh Level 7 (24,185 points)
    the point of a vpn or an ssh connection is that is uses encryption so can be used on an untrusted network to securely connect to other servers.

    I do not use any 3rd party security on my mabook pro other than waterroof which is a gui to configure the built in unix firewall ipfw.

    I never connect to banks, email etc when using a untrusted wireless hotspot. I vpn or ssh into my server and open a vnc session and then open mail and my webrowser on the server not locally.

    If you have system wide removal problem then check for any entries of the software in

    /Library/Application Support

    I just downloaded it to have a look at it. I will need a while to figure it out.

    I see that they are just offering a vpn server for you to tunnel into and a GUI to manage that connection.

    If you have a desktop mac at home you can configured it to be an ssh server and achieve the same thing without costing you any money.
  • hannehanne Level 1 (0 points)
    Thanks --

    I had a look at the /Library folders you refer to but haven't been able to identify anything specifically related to hotspot shield.

    It would be really helpful if you could let me know what files/folders are possibly added into any of those system wide folders, or changed. On my system, I guess this trick would not help since whatever is there already just gets overwritten so I don't see the difference.


  • Super Ann Level 1 (0 points)
    I had this problem too... very annoying! Looked in all the usual places and didn't find any traces, but finally tried resetting Safari and that did it!
  • hannehanne Level 1 (0 points)
    Thanks -- can you please specify what do you mean by resetting Safari? Merely restarting it or cleaning the cache does not do change anything on my box.

    HSS must have installed something in the system area, outside user's home directory or browser profile; it is independent of the browser one is using. To see that this is the case I created a test user account and bang! the banner was there immediately.

    HSS appearantly inspects the http stream coming into one's box and inserts a javascript just after the <body> tag in the page -- have a look at the html code. To my mind, this is not only annoying but quite worrying. If they can do that, they can potentially do anything since one has stupidly given HSS one's password.

    Also, in my case I thought I had uninstalled HSS. It was only a month later when I went to a cafe when the banner started reappearing. It does not appear in all cafes, only a couple of them. Again this is worrying since it means it may be the case the software is actually working, it's just that the user is not aware of it.

    For these reasons I have absolutely not trust in that software. I'll reinstall my whole system asap. Nobody seems to know how HSS works; their webpage and OS X uninstall instructions are useless: they say what one knows anyways (drag the app to trash box), but that does not help. One can't email them; their forum is a closed one. And if you think of it, there is no reason to install for security reasons anyways. If I go to a bank or email, one should use a SSL connection anyways, in which case I don't need a vpn.


  • Tim Haigh Level 7 (24,185 points)
    Thanks -- can you please specify what do you mean by resetting Safari? Merely restarting it or cleaning the cache does not do change anything on my box.

    Goto safari's application menu-->reset safari
  • hannehanne Level 1 (0 points)
    Resetting Safari -- seems equivalent to Delete Private Data in other browsers -- has no effect whatsoever. The phenomena I've described -- that the banner appears in every user's browser -- couldn't occur if cleaning personal browsing data would do the trick. I even deleted my browser profile for firefox; didn't help either.


  • Andy Calado Level 1 (25 points)
    Check your /Library/Extensions and /System/Library/Extensions folders for a file called foo.tun. A quick way to check if this kernel extension is installed is to run the following command in Terminal:

    kextstat | grep -v apple

    If you didn't disconnect the VPN before trashing the app, then this is probably still installed. Simply quitting Hotspot Shield does not disable it. What I did find is that even if you disable the VPN and then delete the application, the extension will still be loaded in memory as running kextstat showed the foo.tun file, but I couldn't physically locate it on the hard drive. A reboot took care of this. After rebooting, foo.tun no longer showed up when running kextstat.

    I used AppZapper to delete the app, and it didn't find any other associated files, so I'm not sure if there's anything else lingering. If you do find the foo.tun file installed on your system even after a reboot, it might be a good idea to reinstall the app and disable the vpn using the little menu that appears in the top right corner of your screen. Then quit it and drag the app icon to the Trash.

    Unfortunately I haven't been able to find any difinitive uninstall instructions. If anyone finds some, please post it.
  • hannehanne Level 1 (0 points)
    Thanks --

    but the foo.tun extension is in the Hotspot directory and it gets trashed with the application.

    I tried everything you tell but nothing helps. HSS runs ajaxserver and another server I forget, see "sudo lsof -i"; it also loads foo.tun. On my box, foo.tun is gone; it's not loaded -- i checked sudo kexstat. None of the servers is started either. No Hotspot application is running ("ps -ef" shows nothing related to Hotspot). There is literally nothing running on the box that can be associated with Hotspot. And yet, when I clear the caches of all browsers and restart my computer, and start firefox or safari, the Hotspot banner is there!!! I am actually really curious about the mechanism they're using to do this. Remember, this mechanism is user-independent -- so whatever plugin or setting they've installed, it must reside outside /User directory; that piece of software is able to inspect any http stream incoming to your computer and insert the javascript code snippet right after the <body> tag of any html file loaded by any user.

  • capiendo Level 1 (0 points)
    i think the file you're looking for is tun.kext; look for it in the directories that Calado mentions.

    let us know if deleting it works.
  • Tony Dickinson Level 1 (5 points)
    Hi thanks.

    My ISP started to block rapidshare and I decided to try hotspot shield with the same results as the comments above. The only way I can stop the banners is by quitting the ajaxserver which is shown in Activity monitor. This can be quitted when hotspot has been disabled, otherwise it immedtiately starts again if hotspot is running. There is no owner for the process just shows as ??? and I guess that this could be seen as a security breach.

    Please help us Apple.....
  • pelled Level 1 (0 points)
    Hotspot Shield installs a login item under "System Preferences -> Accounts -> Login Items."

    Remove it from the list if you haven't already.
  • Jorge Paulo Level 1 (0 points)

    I also installed Hotspot Shield. It works by running a web server as a proxy in order to create the vpn connection. To see if it is running, point your browser to http://localhost:895/config . If you get a response, then it is running. Make sure you disconnect from it.

    In my case, I just had to kill the ajaxserver process, which was running under /Applications/Hotspot

    Also check you network DNS Servers, to see if it left something behind.

  • kernelpanik Level 1 (0 points)
    I've been dealing with this for the last few days with Firefox, and have tried everything on this page. Clearing private data doesn't work, but I had success when I cleared cookies - there's a whole bunch associated with Hotspot. I'd suggest clear all of them and see how you go.

    Can't guarantee anything, but I hope this helps.
  • Spoony! Level 1 (0 points)
    I just uninstalled it using AppZapper. Uninstall and then reset. Sorted everything
Previous 1 2 Next