Scam virus warning advert leading to avanquest “Onesafe” affiliate software.

Never a dull day… A call from a client today who had been visiting a local council website in the UK. Not sure why but this council website has adverts on it.

One of the adverts on the page for a short period of time was hijacking visitors to a fake virus warning page. Unusually this one isn’t coaxing people into calling a fake technical support service. This time it, after a lot of loud noises and fake screens, tries to get the victim to download some system cleaner software.
The first URL involved in this is a click tracker or forwarder that seems to only allow a single visit and then won’t allow you to visit it again:
hxxps://securitycreative.com/click?node=18&time=REDACTED&id=99&pid=11&fid=11&sid=13344&rank=0&ad=eyJ0aXRsZSI6IiIsInVybCI6IiJ9

Which then forwards the victim onto an AWS Cloudfront site:

hxxp://d1y37pqemhvmd3.cloudfront.net/Multi_3/index.html?ip=10.20.30.40&device_brand=Desktop&device_model=Desktop&browser_name=Chrome&os_name=Windows&osv=Windows%2010&lang=en&domain=smile.affiliatescreative.com&cep=kY8XsxoUKvAh39fB7hDtKl5k7BVlYsW3t_BfI1GMUl-k32CU66Dhk83LFHQDFNIxSND-1Tuz3rP0fsP2xkgsHOEj6SH0Ga9oSG-NZ3j1v4FXu1puNvNUcI_IhPTKbOFyui5Hzx0CpvqBZNR0f0X00ZFgHudAuPp3EUobr8mxgzu5RWu3CXmtGZA-lgUmFco-

firewall has defined windows damaged.png

Firewall has defined that your Windows Microsoft system is damaged and irrelevant.
As a result, your system files are automatically deleted.
Please follow the instructions to fix the problem immediately. This way you will ensure that your system is always protected.
OK
Windows Version: Windows 10
Please, pay attention: Your version of software is damaged and obsolete. As a result, all system files are automatically deleted: 0 seconds
Important: Click on the “Update* button to install the newest software to scan and protect your files from being deleted.

wait a moment please microsoft defined update your windows system

Wait a moment, please!

Microsoft has defined that you didn’t update your Windows system.
Please do it in avoidance of removal of all your files.
Don’t leave this page before you haven’t updated your system software. It’s in your best interest.

OK

pc infected with 3 viruses our security check.png

IMMEDIATE ACTION REQUIRED We have detected a trojan virus (e.tre456_worm_Windows) on your PC. Press OK to begin the repair process.
OK

Your PC is infected with 3 viruses. Our security check found traces of 2 malware and 1 phishing/spyware. System damage: 28.1% – Immediate removal required!
The immediate removal of the viruses is required to prevent further system damage, loss of Apps, Photos or other files. Traces of 1 phishing/spyware were found on your PC with Windows.
Personal and banking information is at risk.
To avoid more damage click on ‘Scan Now’immediately. Our deep scan will provide help immediately! 4 minute and 14 seconds remaining before damage is permanent.
Scan Now »

The scan now button then forwards the visitor onto a different sub-directory on the site:

hxxp://d1y37pqemhvmd3.cloudfront.net/microsoft_lander_all_geos_final/index.html?ip=10.20.30.40&device_brand=Desktop&device_model=Desktop&browser_name=Chrome&os_name=Windows&os_version=Windows%2010&lang=en&domain=smile.affiliatescreative.com&clickid=d5QFD054LIFLMV3IH4LPGV5I&country=GB

fake microsoft scan in progress.png

fake microsoft scan found ransomware win32 sendip.png

SCAN IN PROGRESS
Virus Found: Ransomware 2.0; Trojan.Win32.SendIP.15

pc heavily damaged download required.png

DOWNLOAD REQUIRED
Your PC is heavily damaged! (33.2%) Please download the PC Cleanup application to remove 3 Viruses from your PC.
[VIRUS INFORMATION
X Virus Name: Ransomware 2.0; Trojan.Win32.SendIP.15 X Risk: HIGH X Infected Files: C:NVINDOWS/System32/migration/ADJF9009de.tfg/windows.exe; C:/WINDOWS/System32/Drivers/spocIsv.exe…
REMOVE VIRUSES NOW
VIRUS REMOVAL
v Application: PC Cleanup v Rating: 9.9/10 v Price: Free

The above page finally gives you a link to an affiliate system where they get paid if you download or install the following software:

hxxps://webtools.avanquest.com/download.cfm?tracking=UTL_EN_PP_CLDEAL_OSPCC&keyword=&campaignID=CLDEAL&clickid=REDACTED&filter=61160&skip=&gclid=&uid=&go=https://cdn.onesafe-software.com/OneSafe_PC_Cleaner/OneSafe_PC_Cleaner.exe

onesafe pc cleaner tool.png

Seems that avanquest don’t have any formal abuse reporting form.. :(

This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Scam virus warning advert leading to avanquest “Onesafe” affiliate software.

  1. Adam says:

    Did you manage to figure out what is causing this? I’ve been experiencing this issue as well, I’ll be playing a game in full screen and then this URL will open by itself. I can’t work out what’s causing this! Nothing found when I did an Avira scan

  2. An advert on a website that was left open on the computer.

  3. Adam says:

    Hmmm, I have AdGuard Adblocker installed and when this last occurred for me I only had Steam and Wikipedia open! Was “hoping” it was a virus that caused this. Unfortunately it seems that this is a recent issue, as this is the only article I’ve been able to find.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s