See: http://evuln.com/tools/malware-scanner/remont-40.ru/
See: http://zulu.zscaler.com/submission/show/de8171113b8fae1e55c88f66641a8788-1383436552
Recommended site scan is quite clear on this detection: http://sitecheck.sucuri.net/results/remont-40.ru/
IP malware status → http://webcache.googleusercontent.com/search?q=cache:BGid-tQ7B8IJ:support.clean-mx.de/clean-mx/viruses.php%3Fip%3D90.156.201.90%26sort%3Demail%2520asc+&cd=2&hl=nl&ct=clnk&gl=nl (because actual Ddos running on Clean MX)
Flagged JS/iFrame.czo malcode mainly on IP domains.
Suspicious javascript on site → Suspicious
x-pingback: htxp://remont-40.ru/wordpress/xmlrpc.php cache-control: max-age=0 expires: sat, 02 nov 2013 23:43:53 gmt <!–[if ie 6]> <html id=“ie6” dir=“ltr” …XML-RPC server accepts POST requests only.
Suspicious 404 error check: Suspicious
Suspicious 404 Page:
.ru/wordpress/xmlrpc.php location: htxp://remont-40.ru/ cache-control: max-age=0 expires: sat, 02 nov 2013 23:43:54 g
Suspicious: htxp://remont-site.reg40.net/%d0%b1%d0%b5%d0%b7-%d1%80%d1%83 (voice-encoding)

This external link is suspicious: htxp://www.kaluga.ru/top20/
Suspicious javascript there: =“url” href=“htxp://www.kaluga.ru/”><img itemprop=“logo” src=“/images/core/logo-top.gif” width=“220” height=“70” alt=“êàëóæñêèé ðåãèîíàëüíûé ñåðâåð kaluga dot ru” title="êàëóæñêèé ðåãè…
alerts on IP: http://urlquery.net/report.php?id=7393128
1 hidden iFrame 1x1 found: but site seems benign: http://evuln.com/tools/malware-scanner/kaluga.rt.ru/
code hicjk-up
aluga.rt dot ru/js/cookieService.js benign
[nothing detected] (script) kaluga.rt dot ru/js/cookieService.js
status: (referer=kaluga.rt.ru/)saved 3211 bytes dc08eddc8d6890f394bbbf55737392a22c6dea21
info: [decodingLevel=0] found JavaScript
suspicious: bad Ivalue * (added by me, polonus)

Damian

Could these theme have been compromised? WordPress theme: htxp://remont-40.ru/wordpress/wp-content/themes/remont-40.ru/
Because there I get a Status: HTTP/1.1 500 Internal Server Error
Request
HTTP/1.1 404 Not Found
Date: Sun, 03 Nov 2013 00:27:54 GMT
Content-Type: text/html; charset=koi8-r
Connection: close
Server: nginx/1.4.2

polonus

the first is detected only the script is blocked

http://i40.tinypic.com/smvy9y.jpg

http://wepawet.iseclab.org/view.php?hash=032c1cbcaff59c4b789c8d149e5546d7&t=1383438148&type=js#sec_deobfuscation

is listed in blacklist just wot

http://www.mywot.com/en/scorecard/remont-40.ru

http://www.urlvoid.com/scan/remont-40.ru/

but the second does not

Hi jefferson santiag,

Thanks for confirming we have protection against JS:includer-AMM[Trj] here.
It is a high level destructive trojan, exceedingly stubborn virus.
Best protection is to use a JavaScript blocking extension and a decent pop-up-blocker in the browser.

polonus

good recommendations
only part of the site is blocked
considering that he was once hacked
appears only listed blacklist at wot and yandex safebrowsing.