NavaShield is a rogue antivirus program on Microsoft Windows that tricks unsuspecting users into downloading it, when it is actually malware and nagware. It was initially discovered in 2010, when it advertised itself with the slogan "award winning computer protection". It was popularized by the YouTubers danooct1 and rogueamp. It also makes some grammatical errors in its alerts and such, which is a clue that it is a rogue antivirus.
The logo appears to be a blue shield with a chrome-like color around it with an 'N' centered in it.
In 2013, it was discovered that its servers are currently down, and any registration key entered in its download window is useless.
PayloadIt had its own website, Navashield (dot) com. NavaShield's site looked very user-friendly like any antivirus website, so normal Windows users may have thought it was legitimate. This is aided by the rogue's design.
The rogue does not do anything until one week has passed when it begins nagging the user to buy the "full" version. It does this by making an annoying ticking sound and displaying an ad encouraging the user to buy NavaShield. After the rogue has been on the system for several more weeks, it attempts to simulate an actual malware infection to get the user to purchase the fake program. To do this, it plays the sound of a group of men laughing over and over again. If the user has one of Microsoft's Text-To-Speech voices installed (usually Microsoft Sam), Navashield will make the TTS Voice talk at the user or say nonsensical things, such as "I am a Robot from outer space.", "I love you!", or it can even swear at the user. It also redirects the user to adult content sites if the user goes online. It may also go to Match (dot) com, or Casino (dot) com. It will also open Mail and show a non-existent email address to send to: "beb@sexsex". The icon tray bar will also start changing in size. Finally, another laugh that is higher in pitch starts to play. It also blocks Task Manager to stop the user from cancelling the infection.
Another variant of Navashield will try to fake a malware infection by displaying an inescapable message box that says "Disk drive C:\ is being deleted" and slowly grows while making a beeping sound. Eventually it consumes the entire screen, and afterwards it flashes to the user's desktop wallpaper, but with no icons, taskbar, etc. Some minutes after rebooting, the screen goes back to normal.
- Download and scan with Malwarebytes to remove rogue antiviruses).
- Remove some extra remaining files that may not have been detected.
- Delete the malicious registry entries left by the malware.
- Should there be any more issues, download another virus cleaner like HitManPro and scan the files. If there are any suspicious files, download VirusTotal Uploader and scan said file with it.