Microsoft security software detects and removes this family of threats.

The Winwebsec family is a group of programs that claim to scan your PC for malware and show you fake warnings of "malicious programs and viruses".

The programs ask you to pay to "register" the software and remove the non-existent threats.

Some of these programs try to impersonate Microsoft by using our name or logos.

They might stop your security software from running, change security settings, stop you from going to certain websites, and download other malware.

Winwebsec variants are usually installed on your PC by other malware.

You can read more on our rogue page.

Find out ways that malware can get on your PC.

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Removing "MS Removal Tool"

There are instructions on how to remove the "MS Removal Tool" variant of this malware in the following article:

However, in some cases you may need to use the free tool Windows Defender Offline to fully clean your PC:

The following articles may help if you're having trouble getting the tool to work:

After you've used Windows Defender Offline, you should make sure your security software is up to date and run a full scan:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Win32/Winwebsec is a family of rogues that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then tell you that you need to pay money to register the software in order to remove these non-existent threats.

This trojan might display a dialog that mimics the Windows Security Center.

Rogue:JS/Winwebsec is the malicious JavaScript and HTML pages that are used to trick you into downloading and paying for this rogue.

These pages typically present an animation of what appears to be a scan your PC. Not surprisingly, when the 'scan' is finished, it reports that your PC is infected with large numbers of different malware. An example of one of these pages can be seen below:

When the animation is finished, you are asked to download a rogue security application, detected as

Win32/Winwebsec , that purports to remove these bogus infections.

You might be redirected to sites hosting these fake scanning pages in several ways, including by clicking on misleading advertising, from visiting previously compromised sites or by following poisoned and subverted search results.

Win32/Winwebsec can also be installed by the following malware families:

We've also seen it installed alongside Win32/Sirefef and Win32/Simda.

Usually, it is installed by other malware or through exploits and social engineering. In some cases, it has been installed by spam messages, however this is rare.

The user interface and other details vary to reflect each variant's individual branding. These different distributions of the trojan use various installation methods, with file names and system modifications that can differ from one variant to the next.

Some members of the Win32/Winwebsec family might also download additional malware, like:

Current Winwebsec variants seen in the wild (as of December 2013):

Winwebsec variants

brands might use icons or user interfaces similar to the following:

Additional information

Recent variants of Win32/Winwebsec have been using stolen certificates to add false legitimacy to their installation. For more information, see Be a real security pro - Keep your private keys private.

Further reading


Symptoms vary from variant to variant. See the specific encyclopedia descriptions for more information.


Alert level: Severe
This entry was first published on: Aug 17, 2010
This entry was updated on: Apr 17, 2014

This threat is also detected as:
  • System Progressive Protection (other)
  • Adware/AntiSpywarePro2009 (Panda)
  • Adware/UltimateCleaner (Panda)
  • Adware/Xpantivirus2008 (Panda)
  • AntiSpyware Pro 2009 (other)
  • AntiVirus2008 (Symantec)
  • FakeAlert-AntiSpywarePro (McAfee)
  • FakeAlert-WinwebSecurity.gen (McAfee)
  • Live Security Platinum (other)
  • Mal/FakeAV-AK (Sophos)
  • MS Removal Tool (other)
  • Security Tool (other)
  • SecurityRisk.Downldr (Symantec)
  • System Security (other)
  • Security Shield (other)
  • SecurityShieldFraud (Symantec)
  • SystemSecurity2009 (other)
  • Total Security (other)
  • Troj/FakeVir-LB (Sophos)
  • Trojan:Win32/Winwebsec (other)
  • TrojanDropper:Win32/Winwebsec (other)
  • W32/AntiVirus2008.AYO (Norman)
  • Win32/Adware.SystemSecurity (ESET)
  • Win32/Adware.WinWebSecurity (ESET)
  • Winweb Security (other)
  • Essential Cleaner (other)
  • Personal Shield Pro (other)
  • Security Shield 2012 (other)
  • Security Sphere 2012 (other)
  • Smart Protection 2012 (other)
  • Security Shield 2012 (other)
  • Smart Fortress 2012 (other)
  • Win 8 Security System (other)
  • Advanced PC Shield 2012 (other)
  • Disk Antivirus Professional (other)
  • AVASoft Professional Antivirus (other)
  • System Doctor 2014 (other)
  • Attentive Antivirus (other)
  • Antiviral Factory 2013 (other)
  • Antivirus Security Pro (other)
  • Smart Guard Protection (other)