Good afternoon.
We have a problem with the fact that our site http://velobest.ru/ (http://velobest.com.ua) blocked byAvast Antivirus: (
The report specified that the threat on our website HTML: RedirBA-inf [Trj]
We have checked the site and found no threats. What can i Do?
You can check your site with:
http://dnscheck.pingdom.com
http://www.siteadvisor.com
To check if a website is hosted on afraid.org, go to http://freedns.afraid.org/ and enter URL in the box you see in top right box and then click Trace button. Any domain hosted on afraid.org can be used by other persons for dns hosting without your control. If it happened for your domain, it was misused for malicious purposes - in that case, when nobody has control on subdomains of domain (DNS hijacking), we block the whole domain in order to protect our users. For you, the solution is most probably only changing the dns hosting and letting us know later (www.avast.com/contact-form.php).
3 Drive-By-Downloads: http://safeweb.norton.com/report/show?url=velobest.ru
Bad reputation: https://www.mywot.com/en/scorecard/velobest.ru
6/52 on VT: https://www.virustotal.com/en/url/c73b2e0f7185a768cd4f786a24290e6d640cc401ea0f2f60020eafa3ef050508/analysis/1398365553/
100% malicious by Zulu: http://zulu.zscaler.com/submission/show/7adfae47984e2b19eeba5b9233093f7c-1398365571
hpHosts list it as EMD http://hosts-file.net/?s=velobest.ru
[b]EMD[/b] - Sites engaged in malware distribution This classification is assigned to website's engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).Sites with this classification typically either contain files (e.g. cracks, keygens, adware, spyware, trojans, viruses et al) or lead to such via (for example) “fake scanners” or other social engineering and misleading tactics. This includes the activities of rogue Internet Service Providers (ISPs) that host other sites to which the EMD classification applies.
Browserdefender http://www.browserdefender.com/site/velobest.ru/
EDIT: seems the site is now removed from hpHosts listing…
See Java Script check on site: Suspicious
e> <meta name=“description” content="ð�ð½ñ�ðµñ�ð½ðµñ� ð¼ð°ð³ð°ð·ð¸ð½ ð²ðµð»ð¾ñ�ð¸ð¿ðµð´ð¾ð² ð¾ñ� ð»ñ�ñ�ñ�ð¸ñ� ð²ðµð»ð¾ð¿ñ�ð¾ð¸ð·ð²ð¾ð´ð¸ñ�ðµð»ðµ…
404 error check: Suspicious
Suspicious 404 Page:
.ru/" /> <meta name=“keywords” content="ð²ðµð»ð¾ñ�ð¸ð¿ðµð´ñ�, ð³ð¾ñ�ð½ñ�ðµ ð²ðµð»ð¾ñ�ð¸ð¿ðµð´ñ�, ð¿ñ�ð¾ð´ð°ð¶ð° ð²ðµð»ð¾
See: http://scanurl.net/?u=velobest.ru&uesb=Check+This+URL#results → status: Site blacklisted, malware not identified
web trust: Site blacklisted.
Also blocked: htxp://mc.yandex.ru/metrika/watch.js (external link).
Badness history of IP: https://www.virustotal.com/nl/ip-address/185.42.12.2/information/
omain Queried : velobest dot ru
ns1.afraid dot org not found in nameserver list.
Sites appears to be hacked.
polonus
Seems All ok
*** Executing trace on velobest.ru using dnstracer. . . Tracing to velobest.ru[a] via a.root-servers.net., maximum of 1 retries a.root-servers.net. (198.41.0.4) |\___ a.dns.ripn.net [ru] (2001:0678:0017:0000:0193:0232:0128:0006) Not queried |\___ a.dns.ripn.net [ru] (193.232.128.6) | |\___ ns1.multihost.ru [velobest.ru] (217.174.104.171) Got authoritative answer | \___ ns2.multihost.ru [velobest.ru] (217.174.106.66) Got authoritative answer |\___ b.dns.ripn.net [ru] (2001:0678:0016:0000:0194:0085:0252:0062) Not queried |\___ b.dns.ripn.net [ru] (194.85.252.62) | |\___ ns2.multihost.ru [velobest.ru] (217.174.106.66) (cached) | \___ ns1.multihost.ru [velobest.ru] (217.174.104.171) (cached) |\___ d.dns.ripn.net [ru] (2001:0678:0018:0000:0194:0190:0124:0017) Not queried |\___ d.dns.ripn.net [ru] (194.190.124.17) | |\___ ns1.multihost.ru [velobest.ru] (217.174.104.171) (cached) | \___ ns2.multihost.ru [velobest.ru] (217.174.106.66) (cached) |\___ e.dns.ripn.net [ru] (2001:0678:0015:0000:0193:0232:0142:0017) Not queried |\___ e.dns.ripn.net [ru] (193.232.142.17) | |\___ ns1.multihost.ru [velobest.ru] (217.174.104.171) (cached) | \___ ns2.multihost.ru [velobest.ru] (217.174.106.66) (cached) |\___ f.dns.ripn.net [ru] (2001:0678:0014:0000:0193:0232:0156:0017) Not queried \___ f.dns.ripn.net [ru] (193.232.156.17) |\___ ns2.multihost.ru [velobest.ru] (217.174.106.66) (cached) \___ ns1.multihost.ru [velobest.ru] (217.174.104.171) (cached)Domain Queried : velobest.ru
ns1.afraid.org not found in nameserver list.
mmmm, i registered this domein (velobest.ru) only few weeks again… 
Site seems no longer being blocked by avast!
Web rep still from before the restarted domain: https://www.mywot.com/en/scorecard/velobest.ru?utm_source=addon&utm_content=warn-viewsc
Seems OK here: http://toolbar.netcraft.com/site_report?url=http://velobest.ru
Historically this on the kraken Virus Tracker classification scan: velobest dot ru,185.42.12.2,ns1.multihost.ru,Parked/expired,SpyEye
Extensive header proliferation see attached.
polonus
Yepp) Big thanks for your advice and help!! 
WOT is big trouble… seems users who ranking site before is gone, no one want re-check my site(
Yep, WOT is not reliable because it depends on the validity of user input.
It also should be moderated to cleanse the scan results that are no longer actual!
polonus
OMG! It’s neverending)) Sophos strike back! https://www.virustotal.com/ru/url/c73b2e0f7185a768cd4f786a24290e6d640cc401ea0f2f60020eafa3ef050508/analysis/1398621302/
:o :o :o
Avast is block again my site!!! Why? :-\ :-\
I loose my business! ((
This are the latest results: https://www.virustotal.com/nl/url/c73b2e0f7185a768cd4f786a24290e6d640cc401ea0f2f60020eafa3ef050508/analysis/
Javascript check: Suspicious
e> <meta name=“description” content="ð�ð½ñ�ðµñ�ð½ðµñ� ð²ðµð»ð¾ð¼ð°ð³ð°ð·ð¸ð½ ñ�ð¾ñ�ñ�ðµð¹ð½ñ�ñ� ð¸ ð³ð¾ñ�ð½ñ�ñ� ð²ðµð»ð¾ñ�ð¸ð¿ðµð´ð¾ð² ð¿ð¾ ð½ð¸…
404 error check: suspicious
Suspicious 404 Page:
.ru/" /> <meta name=“keywords” content="ð²ðµð»ð¾ñ�ð¸ð¿ðµð´ñ�, ð³ð¾ñ�ð½ñ�ðµ ð²ðµð»ð¾ñ�ð¸ð¿ðµð´ñ�, ð¿ñ�ð¾ð´ð°ð¶ð° ð²ðµð»ð¾
See: http://zulu.zscaler.com/submission/show/7adfae47984e2b19eeba5b9233093f7c-1398365571
pol
Understand, Thanks…Now begin fight with Zscaler
Hi zamalatb,
But there is also this external link that is suspicious according to Quttera’s: http://quttera.com/detailed_report/cloudim.ru
Two instances there of Detected encoded JavaScript code used to hide suspicious activity there. View suspicious code at:
http://jsfiddle.net/dcQJ8/
polonus
Hi polonus!
Cloudim is online chat tool for site. I send them this information. Thanks!
P.S. From Mascafee i’am gone) http://sitecheck.sucuri.net/results/velobest.ru
Only zscaler and Avast left!
No there is one more to be convinced, see: http://www.urlvoid.com/scan/velobest.ru/
- https://www.mywot.com/en/scorecard/velobest.ru
- In Bitdefender it has gone.
- In hpHosts Online - it has gone.
polonus
Are you kidding?)) From WOT i gone for a few months, years(((((((( And users of WOT cannot rate my site, because of AVAST block! Proof: https://www.mywot.com/en/forum/46510-velobest-ru
Fantozzi on Wed 30 Apr 2014 12:08:05 PM UTC Recent RE: velobest.ru Не могу посмотреть сайт. Avast не пропускает.
http://www.urlvoid.com/scan/velobest.ru/
only WOT stay
i’m remove url to cloudme.ru
Now there my site clear: http://zulu.zscaler.com/submission/show/7adfae47984e2b19eeba5b9233093f7c-1398870994
What next?