New Adware method: manipulating browser shortcuts to change the home page

Martin Brinkmann
Oct 7, 2014

Whenever browser makers tighten the defense systems of the browser it does not take long usually before advertising companies and malware writers find new methods to penetrate those defense.

Some browsers display information to the user when the homepage changes while others such as Chrome may even reset settings automatically when changes are noticed.

If you have installed the most recent version of Auslogics Disk Defrag, a popular disk defragmentation software for the Windows operating system, you may have noticed that it displays an offer after installation of the core program to install something that makes the home page in web browsers on the system.

Set as the home page in your web browsers and have all your favorite websites at your fingertips every time you start your browsing session.

bitable browser home page

If you open the Bitable website you will notice that it resembles contents that are opened on a browser's new tab page by default. You find a search there, thumbnail links to popular sites, date and weather information, and some other information.

If you click continue (which means give your okay so that the program makes the change) all open browsers are closed. When you restart the browser, you may notice that the home page has changed.

The change affects popular browsers such as Chrome, Internet Explorer and Firefox at the very least and maybe other browsers as well.

If you check the browser's start page settings however you will notice that it has not been modified.

bitable website

And here comes the new part and why I'm writing about it, the Bitable modification does not manipulate a browser setting, it changes only the shortcut on the system.

If you take Chrome as an example: Instead of just pointing to the chrome.exe file on the system, it adds " at the end instructing the browser to load only this url and no other. This means no session restore and none of the usual home pages that may be loaded instead.

To find out if this is indeed the case on your computer, right-click the browser shortcut on the taskbar. Here you may find properties listed directly or after you right-click a second time on the browser name that is displayed there.

Check the target field of the properties window and if you find a url attached at the end, you are affected by this. To resolve it, remove the url at the end.

browser shortcut modified

An alternative to that is to delete the shortcut with a right-click, and create a new shortcut using the start menu or a file explorer and the program directory of the browser.

Closing Words

It is likely that this method will be used by other companies as well so that this method to manipulate browser home pages will become a common issue for Internet users.

As always, it is important to read before clicks are made on buttons or links as much of this can be avoided then. If you are working in tech support or the go-to guy or girl when it comes to fixing computer problems, then this is something you may want to look in as well from now on.

New Adware method: manipulating browser shortcuts to change the home page
Article Name
New Adware method: manipulating browser shortcuts to change the home page
A new form of adware adds a url to the browser shortcut to load it as the new browser home page instead of manipulating that preference directly in the browser.

Previous Post: «
Next Post: «


  1. Sammy said on November 4, 2015 at 6:22 pm

    I think some adwarse are plainly annoying, like sonic train, lots of pops and make you not even look at page clearly, Chrome is the most weak, loose and vulnerable browser. Anyway anyone with any idea how i can get my hands on any raw code of any adware? a site or a link? am interested to study them further…

  2. R00dy said on October 10, 2014 at 6:11 am

    There is a smal tool called “unchecky” that could identify a lot of these cr@p-ware..
    It’ll uncheck them, and warn you before hitting next button.

  3. Lior said on October 9, 2014 at 5:48 pm

    Thanks a LOT!
    It should be illegal to set homepages in browsers. even subject to user approval.

    Thanks :)

  4. Paul(us) said on October 9, 2014 at 3:09 pm

    And the story is even getting stranger by the minute! :-)

    The same company (Auslogics) that brings you all that unwanted manipulating browser shortcuts to change the home page
    brings to you now the free: Auslogics Browser Care
    Accoutring to ( Auslogics) there p.r. department this bring to you
    This unique tool lets you take back full control of all browsers installed on your PC. Clean up, speed up and keep your web browsers well-maintained for top performance!

    Remove unwanted toolbars or plugins
    Change hijacked home page to the page you want
    Set your preferred search engine as default
    Clear cache to unclutter your drive and speed up your browser
    Manage all installed browsers from one place

    Version History for Auslogics Browser Care:

    But or this will also clean there manipulating browser shortcuts to change the home page I cant determine after reading there
    (download) website

  5. b003 said on October 9, 2014 at 3:45 am

    Conduit and now this? Another company I won’t do business with.

  6. rickxs said on October 8, 2014 at 11:40 pm

    If malwarebytes fails, I turn to Adwcleaner —— in fact i give it a run every week -very quick to scan, ie 30secs

  7. Eli said on October 8, 2014 at 6:19 pm

    Maybe they do this to sell their other product ‘Browser-Care’ lol.

    Auslog is such a joke now, I used to love their Defragger, I wish and hope a good disk defragmentation program would crop up now, to bad Piriform’s defragger sucks hard and that open source one hasn’t been touched in years. Woe is me.

  8. D243 said on October 8, 2014 at 1:05 pm

    This shows that it is not recommended to recklessly install software.

    Some has reported that the home page on their Firefox/IE Chrome installations has changed to US-based Bitable without warning.

    For those who still want to use Auslogic Disk Defrag, one redditor recommend using the Ninite installer for the program in question.

    1. Jeff said on October 8, 2014 at 5:58 pm

      Yes, if Ninite has it, that is always the best route.

      My advice is to avoid all Auslogics products these days. They’ve sold out to malware installers. ESET reports their Registry cleaner tool as being malware as well, saying it includes a variant of the ‘monetizer’ malware or some such.

      Auslogics used to be reputable, but they’ve crossed over to the dark side.

  9. Christoph Wagner said on October 8, 2014 at 11:03 am

    It’s not adware, it’s malware as it breaks your setup system.

  10. Uhtred said on October 8, 2014 at 10:52 am

    thanks for heads up on the shortcut change.

    I wonder, as it seems they lock onto browser.exe shortcuts, would it simply be worth setting just the browser shortcut properties on taskbar to do not modify … or would permissions when installing the carrier software overwrite that? It might make browser updates more of a hassle, but better secure and all that…

  11. Pants said on October 8, 2014 at 2:33 am

    Now we’ll need processes that alert us to changes to shortcuts .. idk .. i see this as a OS problem, but .. maybe .. browsers can be proactive in this >> i.e if page loaded on new session is not the homepage or a session restore, then prompt? Dunno .. sometimes my browser is not open and i click an url (in an email or RSS feed) and i don’t want to be bitched at about that.

    meanwhile .. I’m still waiting for all USB connections to be sandboxed >> .. and also … where are my pants?

  12. Meena Bassem said on October 8, 2014 at 2:15 am

    i don’t want to sound like the bad guy here but this is not new at all to me. I’ve been seeing this for over a year with some friends’ computers, mostly some crapware like hao123 and some crap like that. they changed the home page and the shortcut as well, even the start menu shortcut and the shortcut on the taskbar (for both chrome and firefox)
    what might be new is that they just change the shortcut but not the home page, (or they possible changed it but chrome reset it,…… or something).

    anyway, if i learned something from installing a lot of software,
    – when there’s an option for express install and custom, NEVER go to express. the custom install will allow me to not install the toolbar, change homepage and search engine and stuff.
    – when there’s an option to either accept or skip, always go to skip. don’t just accept without checking the other options. they might be in a small font, a link label and not even a button. but don’t just fall for the trap and click accept, next and…….

    1. Blue said on October 8, 2014 at 7:14 pm

      Good advice but there is no rule or law to say, the “Next” button only does what we think it’s suppose to do. The sneakier ones set anything and everything as a, “Yes please install your crap-ware on my computer”… including the X in the corner to close the pop-up box. Nothing works as it is suppose to and any click we do install their crap-ware on our computers. Often it is a rootkit type of installation if we tried to not install their crap-ware.

      If Malwarebytes Pro (registered version) fails, I use CCleaner Pro (also registered version), but if even that fails there is only one option, “Combofix”… to be used with caution as it is a root/core capable scanner which can also destroy a system if you don’t follow the instructions before letting it run. Fully read the how-to-use Combofix link below. Make note of the /uninstall command.

      At this time ComboFix can only run on the following Windows versions:

      Windows XP (32-bit only)
      Windows Vista (32-bit/64-bit)
      Windows 7 (32-bit/64-bit)

    2. Keith D said on October 8, 2014 at 3:29 pm

      “- when there’s an option for express install and custom, NEVER go to express.”

    3. Jeff said on October 8, 2014 at 5:33 am

      Agreed. I work on PC’s a lot, and I’ve seen this technique used in the past.

  13. ZzzZombi said on October 8, 2014 at 12:15 am

    For years my go-to anti-virus or anti-malware software is myself. Well, I’m a human being but you got the point.

    I think popular trustworthy softwares, most importantly web browsers, should make people read or watch some information regarding these kinds of things. It can be done when the user installed it and ran the browser the first time. A short and easy to understand video could be displayed or a summarized text, informing the user about the basic usage of installing softwares and malicious websites.

    Because, as I said, at the end of the day, no matter what anti-X software people use, there’ll always be a new X and people will keep installing those Xs.

  14. vux777 said on October 8, 2014 at 12:10 am

    Recently I had similar experience when installing some free software for video compression. Shopper Pro got slipped into my system (I’m sure I didn’t accepted any additional offer). Result was that all my browsers were infected (chrome, opera, IE, FF..). It changed the home/start page and search engine to something else (*don’t remember which one).
    None of the AV software could remove it (MWBytes, MSE, some specialized tools just to get rid of SP…).
    I ended up reinstalling OS :)
    oh…and it pulled some additional apps from net (some YT download cr*p, some kind of “security tools” bs…and so on).
    Silently in the background. Until I realized that something is going on, it already pulled around 100 MB of net traffic (and I was on mobile broadband, and my FW was turned off, otherwise it would never get online)…. I wanted to kill someone :)
    There should be law against those ?%#$#$”

  15. Rick said on October 7, 2014 at 11:30 pm

    The reason I use Uniextract. In your example with Auslogics, the installation files are in the {tmp} folder after the extraction. The {app} folder has the real program without the possibility of accidentally installing this malware, or I would even say in this case, spyware.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.