Scam virus warning advert leading to avanquest “Onesafe” affiliate software.

Never a dull day… A call from a client today who had been visiting a local council website in the UK. Not sure why but this council website has adverts on it.

One of the adverts on the page for a short period of time was hijacking visitors to a fake virus warning page. Unusually this one isn’t coaxing people into calling a fake technical support service. This time it, after a lot of loud noises and fake screens, tries to get the victim to download some system cleaner software.
The first URL involved in this is a click tracker or forwarder that seems to only allow a single visit and then won’t allow you to visit it again:
hxxps://securitycreative.com/click?node=18&time=REDACTED&id=99&pid=11&fid=11&sid=13344&rank=0&ad=eyJ0aXRsZSI6IiIsInVybCI6IiJ9

Which then forwards the victim onto an AWS Cloudfront site:

hxxp://d1y37pqemhvmd3.cloudfront.net/Multi_3/index.html?ip=10.20.30.40&device_brand=Desktop&device_model=Desktop&browser_name=Chrome&os_name=Windows&osv=Windows%2010&lang=en&domain=smile.affiliatescreative.com&cep=kY8XsxoUKvAh39fB7hDtKl5k7BVlYsW3t_BfI1GMUl-k32CU66Dhk83LFHQDFNIxSND-1Tuz3rP0fsP2xkgsHOEj6SH0Ga9oSG-NZ3j1v4FXu1puNvNUcI_IhPTKbOFyui5Hzx0CpvqBZNR0f0X00ZFgHudAuPp3EUobr8mxgzu5RWu3CXmtGZA-lgUmFco-

Firewall has defined that your Windows Microsoft system is damaged and irrelevant.
As a result, your system files are automatically deleted.
Please follow the instructions to fix the problem immediately. This way you will ensure that your system is always protected.
OK
Windows Version: Windows 10
Please, pay attention: Your version of software is damaged and obsolete. As a result, all system files are automatically deleted: 0 seconds
Important: Click on the “Update* button to install the newest software to scan and protect your files from being deleted.

Wait a moment, please!

Microsoft has defined that you didn’t update your Windows system.
Please do it in avoidance of removal of all your files.
Don’t leave this page before you haven’t updated your system software. It’s in your best interest.

OK

IMMEDIATE ACTION REQUIRED We have detected a trojan virus (e.tre456_worm_Windows) on your PC. Press OK to begin the repair process.
OK

Your PC is infected with 3 viruses. Our security check found traces of 2 malware and 1 phishing/spyware. System damage: 28.1% – Immediate removal required!
The immediate removal of the viruses is required to prevent further system damage, loss of Apps, Photos or other files. Traces of 1 phishing/spyware were found on your PC with Windows.
Personal and banking information is at risk.
To avoid more damage click on ‘Scan Now’immediately. Our deep scan will provide help immediately! 4 minute and 14 seconds remaining before damage is permanent.
Scan Now »

The scan now button then forwards the visitor onto a different sub-directory on the site:

hxxp://d1y37pqemhvmd3.cloudfront.net/microsoft_lander_all_geos_final/index.html?ip=10.20.30.40&device_brand=Desktop&device_model=Desktop&browser_name=Chrome&os_name=Windows&os_version=Windows%2010&lang=en&domain=smile.affiliatescreative.com&clickid=d5QFD054LIFLMV3IH4LPGV5I&country=GB

SCAN IN PROGRESS
Virus Found: Ransomware 2.0; Trojan.Win32.SendIP.15

DOWNLOAD REQUIRED
Your PC is heavily damaged! (33.2%) Please download the PC Cleanup application to remove 3 Viruses from your PC.
[VIRUS INFORMATION
X Virus Name: Ransomware 2.0; Trojan.Win32.SendIP.15 X Risk: HIGH X Infected Files: C:NVINDOWS/System32/migration/ADJF9009de.tfg/windows.exe; C:/WINDOWS/System32/Drivers/spocIsv.exe…
REMOVE VIRUSES NOW
VIRUS REMOVAL
v Application: PC Cleanup v Rating: 9.9/10 v Price: Free

The above page finally gives you a link to an affiliate system where they get paid if you download or install the following software:

hxxps://webtools.avanquest.com/download.cfm?tracking=UTL_EN_PP_CLDEAL_OSPCC&keyword=&campaignID=CLDEAL&clickid=REDACTED&filter=61160&skip=&gclid=&uid=&go=https://cdn.onesafe-software.com/OneSafe_PC_Cleaner/OneSafe_PC_Cleaner.exe

Seems that avanquest don’t have any formal abuse reporting form.. :(