Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: MSRT June 2017: Removing sneaky Xiazai

14 Jun 2017   #1

64-bit Windows 10 Pro
MSRT June 2017: Removing sneaky Xiazai

In the June release of the Microsoft Software Removal Tool (MSRT), we’re adding Xiazai, a widespread family of browser modifiers that we have blocked and removed from millions of computers since 2015.

Xiazai is a software bundler that can sneak in additional changes. Xiazai does not install itself or make autostart registry entries, but the impact of its changes can persist long after Xiazai itself is gone. MSRT will remove Xiazai but it will also restore system settings.

Xiazai’s extra changes affect browsing experience. On top of offering bundled applications during installation, as software bundlers would do, it can modify browsers’ home page so that the browser always opens to a specific website. It can also change browser shortcuts on the desktop and taskbar so that when the browser is launched using these modified shortcuts, it opens the said website.

This behavior is classified unwanted based on our evaluation criteria. At Microsoft, we work to protect customers’ choice and control of their devices, computing, and browsing experiences. Xiazai violates this by setting the browser to always open a specific website when launched. Even if the user reverts the home page, the browser will continue to open the said website when launched from the taskbar or desktop. This system change takes away control from the user.

Xiazai is a very prolific threat. We have observed it on more than two million machines since October 2015. It’s also still very active. This year, we blocked some 30K infections on average every month.

Xiazai: Sneaky browser modifier

Xiazai can be downloaded from the Internet as an installer for legitimate software, for example, Adobe Photoshop. When run, it offers to download and install Photoshop, as well as several bundled applications, which are selected by default. There is nothing outright malicious at this point, as the user can opt out of installing the bundled applications.

If the user proceeds, Xiazai downloads the legitimate installer. The installation window asks the user whether to install Photoshop right away or later. And then things get very dodgy.

More bundled applications are offered, again selected by default. There’s also an option to modify browser settings and browser shortcuts, also selected off by default.

One of two things can happen at this point:
  1. If the user chooses to install right away, Photoshop is installed, together with the selected bundled applications (six extra applications in total, if the user does not un-select anything), and the browser changes.
  2. If the user chooses to install later, Photoshop is not installed, but the bundled applications are still installed right away and browser settings and shortcuts are modified.
In the second scenario, the user is never again prompted about Photoshop. To actually install the said application, the user has to manually run the downloaded installer. And this is how the true intent of Xiazai is revealed.

Xiazai forces the browser to always open a specific website when launched. There are two ways by which Xiazai does this. First, it modifies the default home page in the browser settings.

Second, it modifies shortcut files on the desktop and on the taskbar to add a URL parameter. With this change, even if the user restores the browser settings, the browser still opens the website when launched from the desktop or taskbar.

Prevention, detection, and recovery

You may encounter Xiazai when searching for installers on third-party sites, but you may get more than what you bargained for. It’s a software bundler that does what you’d expect it to do, which is to install legitimate software. However, it also comes with additional, mostly also legitimate, software that you might not need or want. It also modifies your browsing experience in ways that are unexpected, unwanted, and hard to diagnose.

To stay away from Xiazai, get applications only from official app stores or official vendor websites. Use Microsoft Edge. It uses Windows Defender SmartScreen (also used by Internet Explorer) to block known malicious websites and malicious downloads.

Get the latest protection from Microsoft. Keep your Windows operating system and antivirus, such as Windows Defender Antivirus and Microsoft Malicious Software Removal Tool (MSRT), up-to-date. If you haven’t already, upgrade to Windows 10.

Block Xiazai and other threats, including new, never-before-seen variants, in real-time. Instant protection from Windows Defender Antivirus cloud protection service is turned on by default. To check that Real-time protection and Cloud-based protection settings are turned On, launch the Windows Defender Security Center, then go to Settings > Virus & threat protection settings.

For enterprises, use Device Guard, which can lock down devices and provide kernel-level virtualization-based security. By allowing only trusted applications to run, Device Guard protects devices from Xiazai and other threats.

Use Windows Defender Advanced Threat Protection to get alerts about suspicious activities, including the download of malware, so you can detect, investigate, and respond to attacks in enterprise networks.

James Patrick Dee, Eric Avena

Microsoft Malware Protection Center

Source: MSRT June 2017: Removing sneaky Xiazai Windows Security

My System SpecsSystem Spec
14 Jun 2017   #2

W7 Ultimate 32-bit

The hair on my back stood up with reading this but I think I have enough security measures in place to stop this or stopped it in the past, plus caution when deviating from my usual haunts. I would expect this to be on hacked applications that don't have their stock configurations or original launchers, though I'm just guessing.
My System SpecsSystem Spec

 MSRT June 2017: Removing sneaky Xiazai

Thread Tools

Similar help and support threads
Thread Forum
June 13, 2017 - KB4022719 (Monthly Rollup) for Windows 7
Source: See also: June 13, 2017 Security Update Guide - Microsoft Security Response Center (MSRC) Direct download links for KB4022719 MSU file from Microsoft Update Catalog: :ar: Download KB4022719 MSU for Windows 7 32-bit (x86) - 108.7 MB...
Unable to copy to USB after June 2017 Windows Update
Since the update, I have not been able to copy files from or to an USB or other storage things. When I do try, Windows Explorer stops and needs to restart. Nothing gets copied. I did a system restore to before the update and I can save files no problem. I have done a CHKDSK and SCANNOW and...
Hardware & Devices
Microsoft Security Bulletin Summary for JUNE 2017
Microsoft Security Bulletin Summary for JUNE 2017 Note: There may be latency issues due to replication, if the page does not display keep refreshing Today Microsoft released the following Security Bulletin(s). Note: Microsoft Security Response Centre and Security TechCenter are...
Windows Updates & Activation
June 13, 2017 - KB4022722 (Security-only update) Windows 7
Source: See also: June 13, 2017 Security Update Guide - Microsoft Security Response Center (MSRC) Direct download links for KB4022722 MSU file from Microsoft Update Catalog: :ar: Download KB4022722 MSU for Windows 7 32-bit (x86) - 27.7 MB...
June 2017 Non-Security Office Update Release
Source: June 2017 Non-Security Office Update Release Office Updates See also: Office 2016 and Office 365 Current Channel v1704 build 8067.2157 Office - Windows 10 Forums

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 00:23.
Twitter Facebook Google+