Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

HOTSPOTshield - should we allow or block it?

I was studying abt the new Safari in Mavericks and its extensions IN apple site and was somehow connected to hotspotshields, which downloaded automatically and is now in my folder of system preferences. I don't know what to do. Should I keep it or not? I already have my network configurated to OpenDNS as suggested by Apple last year, I guess. I even wonder if it is protective or the other way around. The thing is I saw they installed 3 padlocker in my network preference tag named ___ server (3 different ones) . I disconnected them, but don't know if I should keep them or find a way to disintall it all. Some help, pls?

Posted on Jun 29, 2014 1:07 PM

Reply
14 replies

Jun 29, 2014 1:38 PM in response to Socorro-Mac

Anything that installs without permission is almost by definition malware, and not something you want on your system.


That written (and if this is really the Hotspot Shield package and not something that's pretending to be it), then it was probably installed locally. If the Hotspot Shield package was loaded from a DMG that was downloaded and is still around, then check for a deinstaller that arrived with the DMG package — there are previous discussions here that imply there's a deinstaller available within the DMG package.


It's also possible there's something else going on, and you can post an inventory of your system by downloading and invoking Etrecheck — that tool is from one of the other folks that participates here in the forums, and it intentionally runs with minimal access — no administrative access is required — and then displays some configuration data with all of the personal information removed. That data is intended to be posted here — post that up, and that can indicate what sort of add-ons are installed on your system.


Stuff that's offered to "enhance" or "protect" or "optimize" is usually not necessary with OS X, and it's often best to avoid installing that stuff — particularly if it's free. Some of what's available can be a problem, and for little or no benefit. If it's free, well, your system or your attention could well be what's getting sold...

Jun 29, 2014 3:06 PM in response to MrHoffman

wel, I don't know if it intalled without my permission, I was downloading one extension after the other, but I did NOT see it in the app page I was visiting.

Thnks for the link, but if I can't have the name and link of your colleague, I am not going to click on it. I'll try sth else. I don't open folder or links that I don't know. Thanx anyway; it was vey kind of yours,

Jun 29, 2014 4:39 PM in response to Socorro-Mac

The author of that tool is not my colleague. He does post here as Etresoft, and is also a registered Apple developer. The tool was properly code-signed, when I last installed and used it here, too.


If you're not inclined to invoke it — that's entirely your call — there are some general details of what the Etrecheck tool does posted at that site, and you can manually investigate the particular areas that the tool checks.


I'd start with the Safari extensions, and would look around for the deinstaller that arrived with that Hotspot Shield tool — preferences panels are well past what a Safari extension can install (or remove), however. (Removing the preference panel in isolation won't remove the rest of the tool, and might lead to other problems.)

Jun 29, 2014 5:08 PM in response to Socorro-Mac

Socorro-Mac wrote:


Thnks for the link, but if I can't have the name and link of your colleague, I am not going to click on it. I'll try sth else. I don't open folder or links that I don't know. Thanx anyway; it was vey kind of yours,

The link posted above will take you right to my web site from where you can find my name, e-mail address, mailing address, and hopefully any other information necessary to prove my trustworthiness. All EtreCheck will do is see what software is installed and running on your machine in the background.

Jul 1, 2014 2:52 PM in response to etresoft

But what information do you need to answer my question ? Neither you nor Mr Hoffman cared to tell me if I should Let or NOT hotspot in there . Is it a VPN to protect or sth else? I got multiple informations on internet and don't know what to believe.

- from yr prgm: the only bad thing (in red) I noticed:

Problem System Launch Daemons:

[failed] com.apple.installd.plist

[failed] com.apple.wdhelper.plist

======

Size of backup disk: Too small

Backup size 186.26 GB < (Disk used 87.77 GB X 3)

======

2 GB RAM 5 I had asked AppStore to double it, apparently they forgot and when I went there to pick up my machine I forgot either (World Cup in Rio - everybody was in rush for the game...)

I don't know what to do, but Safari keeps aksing me (in background) my iCloud Keychain if I do NOT have an iCloud account !?!

And why the date is different of today? (We are 01july14 ). The time is ok and exact. See below:


- 05jan14 17:51:52,846 com.apple.launchd.peruser.503[1355]: (com.apple.wifi.WiFiKeychainProxy[28249]) Idle-exit job was jettisoned. Will bypass throttle interval for next on-demand launch.

- 05jan14 17:51:52,847 com.apple.launchd.peruser.503[1355]: (com.apple.wifi.WiFiKeychainProxy[28249]) assertion failed: 13D65: launchd + 43413 [425516B6-9F3E-342F-87B3-EC461EBA6A1A]: 0x9

- 05jan14 17:51:53,097 com.apple.launchd.peruser.503[1355]: (com.apple.cfprefsd.xpc.agent[28250]) Idle-exit job was jettisoned. Will bypass throttle interval for next on-demand launch.

- 05jan14 17:51:53,097 com.apple.launchd.peruser.503[1355]: (com.apple.cfprefsd.xpc.agent[28250]) assertion failed: 13D65: launchd + 43413 [425516B6-9F3E-342F-87B3-EC461EBA6A1A]: 0x9

- 05jan14 17:51:56,022 WiFiKeychainProxy[28259]: [NO client logger] <Nov 10 2013 18:30:13> WIFICLOUDSYNC WiFiCloudSyncEngineCreate: created...

- 05jan14 17:51:56,022 WiFiKeychainProxy[28259]: [NO client logger] <Nov 10 2013 18:30:13> WIFICLOUDSYNC WiFiCloudSyncEngineRegisterCallbacks: WiFiCloudSyncEngineCallbacks version - 0, bundle id - com.apple.wifi.WiFiKeychainProxy 05jan14 17:53:32,937 Safari[14238]: CFNetwork SSLHandshake failed (-9806) 05jan14 17:53:32,965 Safari[14238]: CFNetwork SSLHandshake failed (-9806)

- 05jan14 17:53:32,998 Safari[14238]: CFNetwork SSLHandshake failed (-9806)

- 05jan14 17:53:32,999 Safari[14238]: NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)

- 05jan14 17:58:32,895 Safari[14238]: CFNetwork SSLHandshake failed (-9806)

- 05jan14 17:58:32,925 Safari[14238]: CFNetwork SSLHandshake failed (-9806) 05jan14 17:58:32,965 Safari[14238]: CFNetwork SSLHandshake failed (-9806) - 05jan14 17:58:32,966 Safari[14238]: NSURLConnection/CFURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9806)

- 05jan14 17:59:49,406 com.apple.WebKit.Networking[14240]: ERROR: unable to get the receiver data from the DB!

- 05jan14 18:03:32,955 Safari[14238]: CFNetwork SSLHandshake failed (-9806) 05jan14 18:03:32,993 Safari[14238]: CFNetwork SSLHandshake failed (-9806)

Jul 1, 2014 2:53 PM in response to Socorro-Mac

Socorro-Mac wrote:


tell me if I should Let or NOT hotspot in there . Is it a VPN to protect or sth else? I got multiple informations on internet.

From what I know of Hotspot Shield (and I don't know a lot about it), it is a VPN that people use to secure their Internet connection when on untrusted networks (like a library or cafe). I use similar software, but a different brand. If Hotspot Shield was installed intentionally by you, it should be OK. If it was installed without your knowledge, it could potentially be used to alter your connection in a bad way but I don't know how realistic that scenario is.


It should be good software, but if you don't know why it's there, it's preferable to delete it.

Jul 1, 2014 3:13 PM in response to Socorro-Mac

What you're describing could be a system breach and/or some rogue software has possibly preempted your DNS resolution, or it could be the result of add-on software, or it could be an innocent click that led to a file download of this Hotspot Shield application that's just sitting there on the disk and can be deleted. (If you did not install that Hotspot Shield tool, then a key question: how did it get onto your system? If it was an unintentional download and something that you might have gotten by accident, that's one thing. If somebody gained access to your system and installed that package, that's a much larger and much more serious problem.)


It's not at all clear what happened here, what has been installed here or even what the errors are that you're encountering — I'm guessing.


As for the mis-set local time, that was either set manually, or was set secondary to a network error or a bad time server, or it could indicate a need to reset the NVRAM, or possibly the need for hardware service if the Mac has somehow lost its internal clock. Having the time mis-set can cause various problems.


Also get good current backups before making any changes here, too. These backups are usually using Time Machine to a Time Capsule, to an external disk, or to a local OS X Server box configured to host Time Machine backups, but these backups can also be Disk Utility or some other local tool — whatever tools that you have chosen to use here.


I'm somewhat hesitant to suggest rolling in existing backups from prior to this event, or to suggest wiping and reinstalling OS X quite yet — getting some idea of what's going on and what's installed would be my preference.


If this discussion thread and this sequence is not something that's helping you move this problem toward resolution, then you might want to visit with a Genius at the local Apple Store (particularly if the system is under warranty or covered by AppleCare), or get something to have a look at it.


That log showed some SSL errors, but nothing really of note that ties back to what's going on here. I'd definitely fix the system time setting, and then check for new errors.


If you want to try different DNS servers from the OpenDNS servers, you can try the Google DNS servers at 8.8.8.8 and 8.8.4.4. (It's not at all clear that there is a DNS problem here, but you do mention OpenDNS for some reason.)


If you want further help here, please post the Etrecheck output, and we'll have a look at what's installed.

If you're not inclined to invoke Etrecheck — and again, that's entirely your call — then I'd start with removing the Safari extensions, and would look around for the deinstaller that arrived with that Hotspot Shield tool — preferences panels are well past what a Safari extension can install (or remove), however. The less you show about the configuration, the less we can help with.

Jul 1, 2014 3:10 PM in response to Socorro-Mac

Socorro-Mac wrote:


I already have my network configurated to OpenDNS as suggested by Apple last year, I guess. I even wonder if it is protective or the other way around.

I forgot to mention that the type of VPN protection that a (legitimate) Hotspot Shield installation would provide is completely different than the protection you get by setting DNS to OpenDNS. Because they are different, I use both OpenDNS and a VPN.

Jul 1, 2014 5:20 PM in response to MrHoffman

But Hoffman, the system time seems to be ok. If by that you mean what my computer shows on the bar (thursday, 1 july). That what is different is the console "date" (the time is = ).

2 ) In the past, there was a moderator who would supervise the debates and erase the information given by the ones in help, for security reasons. This debate foes to the internet, you know. Less is info is made public, better protect one is. DO you understand my resignation. Also, before, I've already post things but we could see the photos of the helper and more information in their profile. That's why I prefer to answer what you need, specifically. What is it?

Jul 1, 2014 5:51 PM in response to Socorro-Mac

Socorro-Mac wrote:

2) how can I be sure it is a legitime hotspotshield ?

I don't know of a test that will verify it. But you could do this:

  1. If you didn't install Hotspot Shield and you have no need for it, uninstall it: http://www.hotspotshield.com/lp/pages/uninstall.html
  2. If you do want to use Hotspot Shield but you are suspicious of your current installation, uninstall it but then go to the Mac App Store to download and install a known legitimate version of it: Hotspot Shield

Jul 1, 2014 7:06 PM in response to Socorro-Mac

The mere presence of that Hotspot Shield tool is troubling — whether it's legitimate copy or not matters a whole lot less than how it got installed. If it wasn't you that installed it, then what else got changed? It's all suspect. Who changed it? How did they gain access? Are there persistent changes or backdoors? Etc...


If you want the easy answer, then delete the Hotspot Shield bits and hope you haven't been breached.


Not posting anonymized configuration data? Again, your call. Realize that does mean that the answers you get become as much conjecture as certainty, and can easily be missing details that these postings have found — several of my recent postings in the forums discuss breached systems, and systems where keyloggers have been found. Here's an example where a keylogger showed up in an Etrecheck listing.


Get some private help, if you want to pursue this further — whether that's a basic review, or a full forensic investigation. Having dealt with breached servers before, that can be an involved process.


As for what data am I looking for here? In all honestly, I don't know. I didn't expect to find that keylogger in that earlier thread. That's why I asked for the Etrecheck configuration dump, and as you're understandably reticent about posting that data — again: your call — I'd suggest calling in somebody here, if you want to have this system investigated in detail, and that can guide you through the options and the trade-offs and the possible remediations.



FWIW...


It's quite possible to upload most any photo here. As for something that's a little harder to spoof, here you go.


The Apple hosts are most definitely around and are very active, and can be requested to delete errantly-posted confidential data.

Jul 2, 2014 5:32 PM in response to Socorro-Mac

I don't know anything about Hotspot shield. I am just commenting on my program. It is meant to be an overall snapshot of your system. While things in red typically are bad, things that are much worse might not show up in red. It is meant to be posted, in its entirety, along with a description of the symptoms you are experiencing. It isn't magic. It is just something to help someone remotely diagnose what might be going on with your machine.

Jul 7, 2014 9:42 AM in response to Socorro-Mac

Hotspot Shield is a legit program. There is currently no known way for a drive-by download to install something on your machine without user interaction on an up-to-date Mac. (Your Mac isn't running 10.9.4, but 10.9.3 is more than adequately up-to-date for this purpose.) Unless you have stumbled onto something brand new, that nobody else has seen and documented yet (which , though possible, is very unlikely), this is not malware. How it came to be installed, I couldn't say, but you've installed quite a few other things. I imagine you probably installed it at some point and forgot about it, or installed it an then deleted it. Or it may even have been an optional install that piggybacked in with something else you installed.


One other note: you have installed Avast, and have the accompanying "avast! Online Security" browser extension installed. This is known to include an adware feature called SafePrice, which injects ad banners at the top of certain pages. You should remove Avast immediately, using the uninstaller. Be sure that the avast! Online Security extension is removed from Safari (in Safari -> Preferences -> Extensions), as some reports indicate that older versions of Avast's uninstaller do not properly remove this extension.

HOTSPOTshield - should we allow or block it?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.