Hi Steven Winderlich,

Thanks for that evaluation and the added checks.
I also found this on that domain:
Suspicious javascript check: Suspicious +xml" href=“htxp://intervest21.ru/engine/opensearch.php” title=“intervest21.ru - ðåìîíò êâàðòèð â ìîñêâå” /> <link rel=“alternate” type=“application/rss+xml” title="intervest21.r…
Suspicious included script: Suspect - please check list for unknown includes

Suspicious Script:
intervest21 dot ru/engine/classes/js/dle_js.js
.ru/whois/?ip=‘+a+’" target=“_blank”>‘+b+“”;e[1]=’<a href=“'+dle_root+dle_admin+”?mod=iptools&ip=“+a+'” target=“_blank”>‘+c+“”;e[2]=
Suspicious Script:
intervest21 dot ru/templates/service4x4/js/topmenu.js
document.write(’<iframe id=“iframeshim” src=“about:blank” frameborder=“0” scrolling=“no” style="left:0; top:0; position:absolute; display:no

Browser difference: Not identical

Google: 13080 bytes Firefox: 13305 bytes
Diff: 225 bytes

First difference:
} })(document, window, “yandex_metrika_callbacks”);

On site I get failure:

polonus