I'm beginning to wonder whether you might have a rootkit on your system which is causing this problem. There's one particular one doing the rounds at the moment called "Google Redirect Virus" which is particularly problematical because it changes Windows system drivers.

It might be a good idea to run a tool created by Kapersky called TDSSKiller, details and download @ http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

You certainly won't do your system any harm by running it in any event.

Many thanks for your tip but McAfee have taken up the challenge and are due to ring me tomorrow evening so will wait until I hear what they have to say and, hopefully, do before taking any further steps. Geoff

Hi, I tried the steps you listed very carefully. bywell and bywell.net produce no results at all and now I have a whole new crop of redirects by places I never saw before. Is it time to get a new computer? Now I'm thinking bywell has morphed into a whole

sorry, bywell has morphed into a whole new issue.

@ imerlin1, please do the following.

1. Go to Start, then Run.
   
   
2. Type: devmgmt.msc and click OK. This is take you to Windows Device Manager.
   
   
3. At the top, click "View" and then click "Show Hidden Devices". This will add the category called "Non-Plug & Play Drivers" to the list.
   
   
4. Click the "+" sign the left of "Non-Plug & Play Drivers" to open the tree view.
   
   
5. If you see TDSS.sys in the list, your system is infected with the Alureon rootkit. In that particular case, go to http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller and follow instructions to remove it.

If you don't see TDSS.sys in the list, then the problem is due to some other malware.

http://www.google.com/search?q=

Xircal: McAfee, using 'remote', removed a heap of temp. and other files and ran Malware which found two nasty objects which were removed. Unfortunately they weren't bywill.net related as the problem persists. However Google may be doing something about it as a lot of the time there is no redirection and on one occasion bywill appeared in the destination display but was quickly replaced by the correct address. Once more I will wait and see. Geoff

Hi Geoff,

Can you click the Firefox button, go to Add-ons, then Extensions. Can you see any reference in there to an add-on called XULRunner? If so, remove it.

Xircal: No sign of XUL Runner but thank you for still trying. Geoff

Can you download Microsoft's Malicious Software Removal tool form here and then run a scan? Microsoft Malicious Software Removal tool

The thought occurred to me that this rogue hijacker might have written itself into the Windows "hosts" file. In that particular case, it wouldn't be found by malware scanners.

All Windows operating system versions have such a file which is located in C:\WINDOWS\system32\drivers\etc and doesn't have an extension. Windows looks to that file before requesting the site from your ISP's DNS server. If it finds it, it will simply go to the IP address in the hosts file.

So we need to check that on your system I think. Here are the steps to take.

1. Open Windows Explorer (press Windows logo key+E) and navigate to C:\WINDOWS\system32\drivers\etc.
   
   
2. Find the file called hosts which will be the only one in there by that name without an extension.
   
   
3. Because it doesn't have an extension, Windows won't know how to open it when you double click it and will present you with a menu where you can choose the program to open it with.
   
   
4. Choose Notepad, but if there's a checkmark in the box called "Always use the selected program to open this type of file with", remove the checkmark. I've included screenshots for you so that you can see what it looks like.
   
   
5. When the hosts file opens in Notepad, you'll see the same entries as the one in the second screenshot on the right. Below where it says "127.0.0.1 localhost", look for this IP address: 69.42.84.138 bywill.net and/or www.bywill.net
6. If you find them, delete both entries.
   
   
7. Click File, then Save to exit.
   
   

Restart Firefox and see what happens.

Xircal: I have successfully downloaded the Microsoft tool twice and each time when I click on Run a window comes up saying tht it is extracting the file but this disappears and nothing else happens. However I was able to complete the Hosts procedure but there is nothing listed after 'localhost'. Sorry. You deserve better! I have also established that Bing and Yahoo are similarly affected. Geoff

Hi Geoff, please do the following.

1. Press Windows logo key + E to open Windows Explorer.
   
   
2. Right click your C:\ drive and go to Properties.
   
   
3. Click the Tools tab and then click the Defragment Now button.
   
   
4. Click the Analyze button in the next menu.
   
   
5. If the message is "You need to defragment this drive now" then go ahead and do that. Otherwise quit.
   

When that completes, do the following.

1. Repeat steps 1 & 2 and then click the Check Now button in the Tools tab.
   
   
2. Checkmark the option "Automatically fix file system errors" and then click Start.
   
   
3. The next message tells you that the scan cannot be performed because the disk cannot be locked and whether you want to schedule a scan on the next restart. Click Yes and then restart.
   

After the system boots to the desktop, try and run the Malicious Software Removal tool.

See screenshots for all of these.

Xircal: Followed your instructions and the result is just the same. Do you think Bywill might be responsible for the failure? Geoff

Were you able to run the Microsoft removal tool Geoff?

No. There is no desktop icon so found the .exe file by using 'Search' and tried to start it that way. Each time the Extracting File window came up and after completion it disappeared and that was that.

There's somebody else who had your problem over at Dell, but after trawling through four pages of troubleshooting, the result was inconclusive: Bywill hijacker

As for Bywill(dot)net, their site just displays outdated copies of news articles (has been showing the same picture for a week now). Their "Terms of Service" and "Privacy" links both produce 404 errors and seem to be non-existent. Also, a Whois search doesn't tell you much either: http://whois.domaintools.com/bywill.net since they're registered anonymously.

Their web hosting company is as follows:

Webair Internet Development Company Inc.
501 Franklin Avenue, Suite 200, Garden City
Phone: +1-516-938-4100
Abuse email: abuse@webair.com

Maybe you could consider contacting them and advise them that they're hosting a browser hijacker.

I was having this issue too, but I found a solution that works. All I did was download Sophos Anti-Rootkit:

http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

It was free and solved this very annoying issue. I hope this was helpful!

It seems that the below program has solved my problem. It's strange that as soon as I tried Firefox 5 and the Aurora version this problem appeared, I have used Maxthon for years with no problems like this.

Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org

The below registry keys were found and deleted.

Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_XMLLookup (Hijacker.XMLLookup) -> Value: bak_XMLLookup -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_intl (Hijacker.intl) -> Value: bak_intl -> Quarantined and deleted successfully.

Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

I use https://encrypted.google.com/

No hijacker, so far, has taken my google search off of the search engine preference.