Recently, the Internet community has puzzled about a “strange phenomenon” on their computers”: the Internet is disconnected after their antivirus program removes malware.
Figure 1: Physical connection is still available, but all network parameters disappear
I found out that this phenomenon happens when a computer is infected with a virus named W32.Ndisvan.Trojan.
This virus, once installed, will create somes virtual network adapters with the name of the system’s adapters plus a “-” mark at the end:
Figure 2: Fake network adapters
The virus’ aims are to filter the data going to or from network devices, download malwares and bypass antivirus softwares. At the same time, all these fake network adapters point to a network filter driver named “ndisvvan.sys” (Check carefully or you will mistake this driver for Windows’ driver named “ndiswan.sys” - a letter “w” is replaced by two letters “v” in the fake network filter driver).
Figure 3: Fake network filter driver (on the left)
If by mistake you removed “ndisvvan.sys” upon deletion of virus file, you have accidentally “broken” the network filter driver link list. Then the data fails to reach the real network adapter. That’s why your computer cannot connect to the network though it is still connected to the physical network equipment.
Thus, in this case, when removing virus from the system, in addition to deleting virus files and virus keys, an AV needs to “re-connect” the “broken” chains in the network filter driver link list:
However, in fact, most of AVs fail to do this, which results in the mentioned phenomenon.
Actually, many users experience this problem. So I develop a tool called NdisvvanFixer. Even if you are infected with this kind of virus, and have removed it in a wrong way, you needn’t worry too much.
Nguyen Cong Cuong
Senior Malware Researcher