Internet Explorer 6 hijacking I: internet Options menu

Topics on this page:

1. Introduction

2. Internet Options menu

Go to: Part II: home page and blank page

Go to: Part III: Window Title, Search and Local Pages

 

Introduction

Internet Explorer (IE) hijacking means if one or more of your IE settings have been changed without your consent by a webpage you've visited. This is a rather complicated topic because it can happen in many places (the home (start) page, the blank page, the search page, the toolbar, the Internet Options settings menu, individual tabs of the settings menu, the right click menu and the window title) and by different means (e.g. group or local registry policies, ActiveX controls, scripts).

Note: if it is a version or variant of CoolWebSearch then you can get more information here as it is very hard to remove. You need the CoolWebShredder tool. The about:blank page has now been used too as part of CoolWebSearch. For other hijacked home sites especially search page and toolbar hijacks you should search on the internet (especially this site) for more up to date specific fix. You usually find answers in forums or ask in forums. This is a general guide which should work in the vast majority of cases of hijacks other than CoolWebSearch or about:blank page hijacks.

This is a general guide which should work in the vast majority of cases. Because different hijacking methods are used there is no universal solution that applies. Often there is more than one method and increasingly with more sophisticated hijacks you have to do several things and here is where a systematic approach would help. If you're  after a quick fix often it will not suffice.

A system administrator can also use similar techniques to prevent individual users from changing settings. This article helps you to overcome hijacking and not to defy your administrator's policies.

Usually the hijack objects automatically start up because they lodge in the registry. They may also prevent you from resetting your options.

There are third party programmes that will remove these hijack objects. Here I will show you how to do it with the registry editor, the Group Policy Editor and freeware tools in Windows XP and IE6 with SP1. To maximise the chance of success it is important thing to stop (End process) all running non-essential processes in Task Manager first and delete any suspicious processes.

In addition, clean out your Windows temp files, IE temporary internet files (including index.dat, refer to my article here), cookies, history, typed URLs (those in the Address bar), Trojans, adware and spyware.

Your IE browser is vulnerable if its security settings are not high enough. Prevention is better than cure, so you'll find advice on setting your own policy restrictions in these three articles and increasing your IE security levels on another article (link). Use another browser instead.

Towards the end of Part III there is a summary of the general approach to tackling hijacking and a list of the other registry keys involved. Also try System Restore (which restores the whole registry) and restore by NTBackup (if the backup includes the System State), ASR (Windows XP Professional only) and from a full image (Ghost or similar). Unless your system is severely damaged by viruses beyond repair there should be no need for a reformat and reinstall.

 

2. IE6 Internet Options menu

The Internet Options menu itself can be restricted or individual tabs inside can be disabled.

2.1. Internet Options menu restriction

In Internet Explorer 6, Tools, Internet Options you can normally change your homepage, security and other settings. If however you get a Restrictions box with a message saying:

"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."  (Fig. 1), your Internet Options setting control panel applet has been disabled. This can also be seen for other Windows programmes, including the registry editor (see my article on this).

Restrictions window

Fig. 1. Restrictions warning box.

 

The registry key has a Restrictions subkey with a DWORD of (1) (Fig. 2):

HKEY_CURRENT_USER\Software\Policies\Microsoft\
Internet Explorer\Restrictions
Name: NobrowserOptions
DWORD:  (1) = restriction in effect

restrictions registry key

Fig. 2. HKCU Restrictions key.

 

The default registry key for IE policies has no Restrictions subkey. Open the registry editor and reset the data value from (1) to (0) leaving the Restrictions subkey there or delete the subkey altogether. The setting takes effect immediately without re-logon or reboot.

In Windows XP Professional, you can unlock this restriction in the Group Policy editor (Start, Run, gpedit.msc) under:

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus
Tools menu: Disable Internet Options... menu option
(Fig. 3).

Double-click this item and reset it to Not configured (which deletes the Restrictions subkey) or Disabled (which resets the DWORD to (0)).

Group Policy browser menu

Fig. 3. Group Policy editor: Browser menus.

 

Or, download and run HijackThis  (or download here), click the Scan button, locate and tick the offending entry (06 in the example) and click Fix checked (Fig. 4).

HijackThis window showing restrictions present

Fig. 4. HijackThis scan log showing Restrictions key.

 

However, please note that HijackThis will show this key even if it's value is set to (0). This key is absent by default.

 

2.2. Internet Options: individual tabs disabled

The individual tabs of the menu can be disabled or hidden; the Group Policy editor can reset them in:

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel
Disable the General (or Security, Content, Connections, Programs, Privacy, Advanced) pages.

The corresponding registry keys are:

HKEY_CURRENT_USER\Software\Policies\Microsoft\
Internet Explorer\Control Panel

GeneralTab
SecurityTab
ContentTab
ConnectionsTab
ProgramsTab
PrivacyTab
AdvancedTab

Setting a DWORD value of 1 in each case would disable or hide the tab. To re-enable the tab, delete the name and value in the registry. It is also worth checking the HKLM policy key too: although this is not altered by the Group Policy editor it is a possible place for hijacking.

 

Go to TOP

Go to Part II: Internet Explorer 6 hijacking II: home page and blank page

 

Copyright © 2003 by Kilian. All my articles including graphics are provided "as is" without warranties of any kind. I hereby disclaim all warranties with regard to the information provided. In no event shall I be liable for any damage of any kind whatsoever resulting from the information. The articles are provided in good faith and after some degree of verification but they may contain technical or typographical errors. Links to other web resources may be changed at any time and are beyond the control of the author. Articles may be added, removed, edited or improved at any time. No support is provided by the author.

This is not an official support page for HijackThis or other products mentioned. All the products mentioned are trademarks of their companies. Edit the registry at your own risk and back up first.

Last updated 23 June 2004

 

1