Microsoft automatically removes Soctuseer malware with rootkit capabilities from 1.2 million PCs

Microsoft has automatically removed malicious software that hijacked the browser of internet users and had rootkit capabilities from 1.2 million Windows computers. The malware is called BrowserModifier:Win32/Soctuseer and is be installed when downloading software from third-party websites.


Computers infected by Soctuseer will show advertisements with discounted or lower prices, related to the product that the user is searching from popular online shopping websites. The advertisements have the attribution name of “Social2Search”. For example, if an user searches for “tablet”, Soctuseer will show pop-up advertisements for tablets on other websites.

The malware is able to do its job in all major browsers like Firefox, Chrome, Internet Explorer and Edge because it uses a NetFilter driver and directly injects a DLL  into the browser’s process. Soctuseer also has rootkit capabilities to conceal its presence on a computer.

Microsoft discovered 1.2 million computers that are infected with Soctuseer, mainly in the United States, Indonesia and India.

These computers were automatically cleaned by the built-in Windows tool Malcious Software Removal Tool (MSRT) during yesterday’s Patch Tuesday. When updates are installed,  MSRT automatically scans the computer for malware and removes any malware it finds.