Alarabeyes coming back after removal

[DanielW]

A few days back I noticed that Explorer, Firefox and Chrome had alarabeyes.com setup as the starting page. So I used Malwarebytes to scan and clean the system.

That worked well, but then after a day the starting page is set back to alarabeyes.com.

I can run the clean again to fix it, but it will come back.

 

I uninstalled Firefox and Chrome (my main browser is Opera, which at least appears to be unaffected).

I've run deep scans with various other malware and virus removal tools and they all say my system is clean (now).

 

Any help would be highly appreciated.

[Firefox]

Hello and Welcome to Malwarebytes

We are not permitted to work on possible malware-related issues here in this section of the forum.

Such work is conducted in a special forum area reserved for that purpose, or at the help desk.

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

[DanielW]

It seems I was able to resolve this myself.

Maybe the following is helpful for other users:

 

I used ProcMon to find out which process modifies the registry entries. Unfortunately it turned out to be svchost.exe, but with the process and thread ID I could pin it down to the group policy service. With a bit of more digging I found that this service reads the file c:\Windows\System32\GroupPolicy\Machine\Registry.pol, which indeed contained the registry settings that I was looking for. Deleting the file finally made my problem go away.

 

I find it a bit disappointing that none of the half of a dozen Virus scanners and Malware tools that I tried noticed this relatively simple issue.