Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

How to deal with rogue diverter www.bywill.net in Google.

  • 41 uphendule
  • 370 zinale nkinga
  • 192 views
  • Igcine ukuphendulwa ngu geoffsharris

more options

When desired site is clicked in Google www.bywill.net appears in the destination window instead of the site address listed and a different site is displayed. This happens with IE as well as Firefox. Repeated searches by McAfee disclose no viruses. They suggested site blocking but this only stops bywell displaying its chosen site.

Isisombululo esikhethiwe

Hi Geoff, please do the following.

Download the free version of Malwarebytes from http://www.malwarebytes.org/products/malwarebytes_free and run a full system scan to eliminate malware as the culprit as is often the case.

Next:

  1. Go to about:config again and then in the filter at the top, type: bywell

  2. For every entry which appears with that name in it, right click it and choose "Reset".

  3. Close Firefox and then restart it again to complete the removal.


If all else fails...

  1. Click "Help" | "Restart with add-ons disabled".

  2. Checkmark "Reset all user preferences to Firefox defaults"

  3. Click "Make Changes and restart".

This will remove all your customizations and add-ons and restore Firefox to a virgin state.

Funda le mpendulo ngokuhambisana nalesi sihloko 👍 7

All Replies (20)

more options

I'm beginning to wonder whether you might have a rootkit on your system which is causing this problem. There's one particular one doing the rounds at the moment called "Google Redirect Virus" which is particularly problematical because it changes Windows system drivers.

It might be a good idea to run a tool created by Kapersky called TDSSKiller, details and download @ http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

You certainly won't do your system any harm by running it in any event.

more options

Many thanks for your tip but McAfee have taken up the challenge and are due to ring me tomorrow evening so will wait until I hear what they have to say and, hopefully, do before taking any further steps. Geoff

more options

Hi, I tried the steps you listed very carefully. bywell and bywell.net produce no results at all and now I have a whole new crop of redirects by places I never saw before. Is it time to get a new computer? Now I'm thinking bywell has morphed into a whole

more options

sorry, bywell has morphed into a whole new issue.

more options

@ imerlin1, please do the following.

  1. Go to Start, then Run.

  2. Type: devmgmt.msc and click OK. This is take you to Windows Device Manager.

  3. At the top, click "View" and then click "Show Hidden Devices". This will add the category called "Non-Plug & Play Drivers" to the list.

  4. Click the "+" sign the left of "Non-Plug & Play Drivers" to open the tree view.

  5. If you see TDSS.sys in the list, your system is infected with the Alureon rootkit. In that particular case, go to http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller and follow instructions to remove it.

If you don't see TDSS.sys in the list, then the problem is due to some other malware.

more options
more options

Xircal: McAfee, using 'remote', removed a heap of temp. and other files and ran Malware which found two nasty objects which were removed. Unfortunately they weren't bywill.net related as the problem persists. However Google may be doing something about it as a lot of the time there is no redirection and on one occasion bywill appeared in the destination display but was quickly replaced by the correct address. Once more I will wait and see. Geoff

more options

Hi Geoff,

Can you click the Firefox button, go to Add-ons, then Extensions. Can you see any reference in there to an add-on called XULRunner? If so, remove it.

more options

Xircal: No sign of XUL Runner but thank you for still trying. Geoff

more options

Can you download Microsoft's Malicious Software Removal tool form here and then run a scan? Microsoft Malicious Software Removal tool

more options

The thought occurred to me that this rogue hijacker might have written itself into the Windows "hosts" file. In that particular case, it wouldn't be found by malware scanners.

All Windows operating system versions have such a file which is located in C:\WINDOWS\system32\drivers\etc and doesn't have an extension. Windows looks to that file before requesting the site from your ISP's DNS server. If it finds it, it will simply go to the IP address in the hosts file.

So we need to check that on your system I think. Here are the steps to take.

  1. Open Windows Explorer (press Windows logo key+E) and navigate to C:\WINDOWS\system32\drivers\etc.

  2. Find the file called hosts which will be the only one in there by that name without an extension.

  3. Because it doesn't have an extension, Windows won't know how to open it when you double click it and will present you with a menu where you can choose the program to open it with.

  4. Choose Notepad, but if there's a checkmark in the box called "Always use the selected program to open this type of file with", remove the checkmark. I've included screenshots for you so that you can see what it looks like.

  5. When the hosts file opens in Notepad, you'll see the same entries as the one in the second screenshot on the right. Below where it says "127.0.0.1 localhost", look for this IP address: 69.42.84.138 bywill.net and/or www.bywill.net
  6. If you find them, delete both entries.

  7. Click File, then Save to exit.

Restart Firefox and see what happens.

more options

Xircal: I have successfully downloaded the Microsoft tool twice and each time when I click on Run a window comes up saying tht it is extracting the file but this disappears and nothing else happens. However I was able to complete the Hosts procedure but there is nothing listed after 'localhost'. Sorry. You deserve better! I have also established that Bing and Yahoo are similarly affected. Geoff

more options

Hi Geoff, please do the following.

  1. Press Windows logo key + E to open Windows Explorer.

  2. Right click your C:\ drive and go to Properties.

  3. Click the Tools tab and then click the Defragment Now button.

  4. Click the Analyze button in the next menu.

  5. If the message is "You need to defragment this drive now" then go ahead and do that. Otherwise quit.

When that completes, do the following.

  1. Repeat steps 1 & 2 and then click the Check Now button in the Tools tab.

  2. Checkmark the option "Automatically fix file system errors" and then click Start.

  3. The next message tells you that the scan cannot be performed because the disk cannot be locked and whether you want to schedule a scan on the next restart. Click Yes and then restart.

After the system boots to the desktop, try and run the Malicious Software Removal tool.

See screenshots for all of these.

more options

Xircal: Followed your instructions and the result is just the same. Do you think Bywill might be responsible for the failure? Geoff

more options

Were you able to run the Microsoft removal tool Geoff?

more options

No. There is no desktop icon so found the .exe file by using 'Search' and tried to start it that way. Each time the Extracting File window came up and after completion it disappeared and that was that.

more options

There's somebody else who had your problem over at Dell, but after trawling through four pages of troubleshooting, the result was inconclusive: Bywill hijacker

As for Bywill(dot)net, their site just displays outdated copies of news articles (has been showing the same picture for a week now). Their "Terms of Service" and "Privacy" links both produce 404 errors and seem to be non-existent. Also, a Whois search doesn't tell you much either: http://whois.domaintools.com/bywill.net since they're registered anonymously.

Their web hosting company is as follows:

Webair Internet Development Company Inc.
501 Franklin Avenue, Suite 200, Garden City
Phone: +1-516-938-4100
Abuse email: abuse@webair.com

Maybe you could consider contacting them and advise them that they're hosting a browser hijacker.

more options

I was having this issue too, but I found a solution that works. All I did was download Sophos Anti-Rootkit:

http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx

It was free and solved this very annoying issue. I hope this was helpful!

more options

It seems that the below program has solved my problem. It's strange that as soon as I tried Firefox 5 and the Aurora version this problem appeared, I have used Maxthon for years with no problems like this.

Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org

The below registry keys were found and deleted.

Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_XMLLookup (Hijacker.XMLLookup) -> Value: bak_XMLLookup -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_intl (Hijacker.intl) -> Value: bak_intl -> Quarantined and deleted successfully.

Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

more options

I use https://encrypted.google.com/

No hijacker, so far, has taken my google search off of the search engine preference.

  1. 1
  2. 2
  3. 3