We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Adware Removal Guide : InstallCore

Published May 23rd, 2015 at 9:42 AM EDT , modified May 23rd, 2015 at 9:42 AM EDT

InstallCore is very widespread adware that has been seen in many different malicious installers, including fake Adobe Flash Player installers that don’t actually install anything other than InstallCore. It has also been recently seen being installed by an installer that attempted to avoid analysis with techniques often used by malware.

Early variants of InstallCore involved a browser extension named “searchme”, which is a name also used by the older Spigot adware. It is unclear whether there may be some kind of connection between InstallCore and Spigot, or whether this is a coincidence.


Delete all of the following browser extensions that you find: Set Search Settings, searchmesearchtab, and any extension with a name like xxsearch (where “xx” can be anything), such as jbsearch or mtsearch. In addition, extensions whose names are a person’s name, such as JeffKekko or BrianDeer, should be disabled at least, to see if they might be causing your ad problem. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.) Not all of these may be present in all browsers.

Because of the numerous names used by this adware, it may be easier to use AdwareMedic, if that is a possibility on your system. AdwareMedic detects this adware by content rather than by name.

You may also need to change the home page and search engine settings in your browser’s preferences.

<- Back to Adware Removal Guide