Microsoft security software detects and removes this family of threats.

This family of rogue security programs pretend to scan your PC for malware, and often report lots of infections. The program will say you have to pay for it before it can fully clean your PC.

However, the program hasn't really detected any malware at all and isn't really an antivirus or antimalware scanner. It just looks like one so you'll send money to the people who made the program. Some of these programs use product names or logos that unlawfully impersonate Microsoft products.

Even if you do pay to "unlock" the app, it won't do anything because your PC isn't actually infected with all that malware it "found".

Different brands of the rogues may modify various settings on your computer, end or close programs or system services, or block access to websites.

by other malware.

You can read more on our rogue page.

Find out ways that malware can get on your PC.

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Remove programs

You might need to manually remove this program:

Removing "MS Removal Tool"

There are instructions on how to remove the "MS Removal Tool" variant of this malware in the following article:

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Winwebsec is a family of rogues that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then tell you that you need to pay money to register the software in order to remove these non-existent threats.

This trojan might display a dialog that mimics the Windows Security Center.

Rogue:JS/Winwebsec is the malicious JavaScript and HTML pages that are used to trick you into downloading and paying for this rogue.

These pages typically present an animation of what appears to be a scan your PC. Not surprisingly, when the 'scan' is finished, it reports that your PC is infected with large numbers of different malware. An example of one of these pages can be seen below:

When the animation is finished, you are asked to download a rogue security application, detected as

Win32/Winwebsec , that purports to remove these bogus infections.

You might be redirected to sites hosting these fake scanning pages in several ways, including by clicking on misleading advertising, from visiting previously compromised sites or by following poisoned and subverted search results.

Win32/Winwebsec can also be installed by the following malware families:

We've also seen it installed alongside Win32/Sirefef and Win32/Simda.

Usually, it is installed by other malware or through exploits and social engineering. In some cases, it has been installed by spam messages, however this is rare.

The user interface and other details vary to reflect each variant's individual branding. These different distributions of the trojan use various installation methods, with file names and system modifications that can differ from one variant to the next.

Some members of the Win32/Winwebsec family might also download additional malware, like:

Current Winwebsec variants seen in the wild (as of December 2013):

Winwebsec variants

brands might use icons or user interfaces similar to the following:

Additional information

Recent variants of Win32/Winwebsec have been using stolen certificates to add false legitimacy to their installation. For more information, see Be a real security pro - Keep your private keys private.

Further reading


Symptoms vary from variant to variant. See the specific encyclopedia descriptions for more information.


Alert level: Severe
This entry was first published on: Aug 17, 2010
This entry was updated on: Aug 06, 2014

This threat is also detected as:
  • System Progressive Protection (other)
  • Adware/AntiSpywarePro2009 (Panda)
  • Adware/UltimateCleaner (Panda)
  • Adware/Xpantivirus2008 (Panda)
  • AntiSpyware Pro 2009 (other)
  • AntiVirus2008 (Symantec)
  • FakeAlert-AntiSpywarePro (McAfee)
  • FakeAlert-WinwebSecurity.gen (McAfee)
  • Live Security Platinum (other)
  • Mal/FakeAV-AK (Sophos)
  • MS Removal Tool (other)
  • Security Tool (other)
  • SecurityRisk.Downldr (Symantec)
  • System Security (other)
  • Security Shield (other)
  • SecurityShieldFraud (Symantec)
  • SystemSecurity2009 (other)
  • Total Security (other)
  • Troj/FakeVir-LB (Sophos)
  • Trojan:Win32/Winwebsec (other)
  • TrojanDropper:Win32/Winwebsec (other)
  • W32/AntiVirus2008.AYO (Norman)
  • Win32/Adware.SystemSecurity (ESET)
  • Win32/Adware.WinWebSecurity (ESET)
  • Winweb Security (other)
  • Essential Cleaner (other)
  • Personal Shield Pro (other)
  • Security Shield 2012 (other)
  • Security Sphere 2012 (other)
  • Smart Protection 2012 (other)
  • Security Shield 2012 (other)
  • Smart Fortress 2012 (other)
  • Win 8 Security System (other)
  • Advanced PC Shield 2012 (other)
  • Disk Antivirus Professional (other)
  • AVASoft Professional Antivirus (other)
  • System Doctor 2014 (other)
  • Attentive Antivirus (other)
  • Antiviral Factory 2013 (other)
  • Antivirus Security Pro (other)
  • Smart Guard Protection (other)