Banner advertisements for a security application said to report false or inflated threats appeared for at least a few days on Microsoft's instant messaging (IM) programme have prompted warnings from security analysts.

Microsoft appears to have removed the ads, which were displayed in the contacts panel for its IM program, Windows Live Messenger, said Sandi Hardmeier, a Microsoft most valued professional – a designation the company gives to people who have expertise with its products.

The programme, known as Winfixer, falsely warns a computer has been infected with malicious software, according to Symantec. It prompts users to download it to remove the threatening software.

"Quite often, it reports files that are perfectly safe," Hardmeier said. "It uses a lot of false positives. Basically, it's a rip off."

Other security companies, such as Sophos and McAfee, classify Winfixer as a "potentially unwanted application".

Hardmeier, who notified Microsoft of the problem, said the ads that appeared on Windows Live Messenger tried two ways to get users to install Winfixer on their machine.

The first was via a pop-up window offering to scan the computer for problems. Depending on the version of Internet Explorer used, Winfixer would try to download itself through an Active X control, said Hardmeier.

The second way was through a banner advertisement that a user would have to click before being taken to a website offering Free PC-Secure, a programme that is detected as Winfixer by most security software, she said. Winfixer goes by several different names, including ErrorSafe and DriveCleaner.

Microsoft had done well preventing spyware programmes from being advertised in banner ads on Windows Live Messenger, formerly known as MSN Messenger, Hardmeier wrote in her blog, Spyware Sucks.

But Winfixer has proved a tricky foe. Advertising networks have had trouble with Winfixer ads suddenly being served up by their networks despite no affiliation with its creators, Hardmeier said.

The suspicion is that organisations have falsely registered with the networks and substituted Winfixer ads – hosted on their own servers – instead of the advertisements they agreed to supply, she said.