Is this banner adware → link adress of ad: htxp://gk.site5.com/t/690 htxp://gk.site5.com/t/690 redirects to htxp://www.site5.com/p/biz-domain-names/
Nothing here: http://zulu.zscaler.com/submission/show/1f415628f2cd9ff65477857072608d3e-1405725587
and here: https://www.virustotal.com/nl/url/d22ea4e6499d85414ef043717c16581793c873c46671dc067598b2b6dc645545/analysis/1405717665/
ABP filter added for: http://www.downforeveryoneorjustme.com/images/dotbiz_banner.jpg
Given clean: https://www.virustotal.com/nl/url/85038da10339918da213dae1ff366754bd2f77318a1be2b86133f7c43b2981d9/analysis/1405717776/
Zulu flags it: http://zulu.zscaler.com/submission/show/fa2359d637eb800f98b985bbb515bcef-1405717768 50/100% suspicious
or already gone: http://urlquery.net/report.php?id=1405718026637

polonus

your urlQuery scan is wrong, you scanned down for evry one ?..not the one in your first VT scan

same with your zulu scan and second VT scan

No that banner was really here: htxp://www.downforeveryoneorjustme.com/images/dotbiz_banner.jpg

Look here malcode, see attached. Wirked through http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fwww.downforeveryoneorjustme.com%2Fimages%2Fdotbiz_banner.jpg&useragentheader=&acceptheader=

This is the urlQuert scan before the banner adware appeared: http://urlquery.net/report.php?id=1396972301980

Somehow it circumvents the ABP blocking. This should be detected. I was able to block it on htxp://www.downforeveryoneorjustme.com/
via Personal Blocklist.

polonus

No that banner was really here: htxp://www.downforeveryoneorjustme.com/images/dotbiz_banner.jpg

no detection
https://www.virustotal.com/en/file/0475934bd62949c51ae86cc7060b790b9c2f66a83bf63bab014989cc871a4e33/analysis/1405719188/

Earlier detects fron Zulu Zscaler => http://zulu.zscaler.com/submission/show/b310b88bdf5c8ffa280e71c0f9872f67-1404640095
For the banner see: http://www.tineye.com/search/cb5293171083770afc40e07976fa663b37c766a7/?pluginver=chrome-1.1.4
see attached.

Shortlived as you see here, Pondus, but it is banner malcode: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.downforeveryoneorjustme.com%2Fimages%2Fdotbiz_banner.jpg&useragent=Fetch+useragent&accept_encoding=
See code here: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Ffetch.scritch.org%2F%252Bfetch%2F%3Furl%3Dhttp%253A%252F%252Fwww.downforeveryoneorjustme.com&useragent=Fetch+useragent&accept_encoding=

 !--[if lt IE 7]>
            <p class="chromeframe">You are using an <strong>outdated</strong> browser. Please <a href="htxp://browsehappy.com/">upgrade your browser</a> or <a href="htxp://www.google.com/chromeframe/?redirect=true">activate Google Chrome Frame</a> to improve your experience.</p>
        <![endif]-->

To detect IE

 <!-- Main jumbotron for a primary marketing message or call to action -->

and here it comes

 <div class="row col-md-12">
          <a href="htxp://gk.site5.com/t/690" rel="nofollow" target="_new">&lt;img src=&quot;/images/dotbiz_banner.jpg&quot; alt...</a>
        </div> 

and

 <div class="row col-md-12">
          <a href="htxp://www.downforeveryoneorjustme.com/images/dotbiz_banner.jpg" rel="nofollow" target="_new">htxp://www.downforeveryoneorjustme.com/images/dotbiz_banner.jpg</a> (.Biz)
        </div> (this was how the ABP circumvention worked initially) 

Damian

Interesting scan results here from our recommended scanner: http://sitecheck.sucuri.net/results/gk.site5.com/t/690
Website Software outdated, so vulnerable!

ISSUE DETECTED DEFINITION VULNERABLE HEADER
Outdated cPanel Found cPanel Security cPanel 11.40.1.17
Outdated Web Server Apache Found Vulnerabilities on Apache 2.2 Apache/2.2.11

System Details:
Running on: Apache/2.2.11
System info: (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Powered by: PHP/5.2.8

Web application details:
Google Analytics installed: UA-5680195-1
Running cPanel 11.40.1.17: wXw.site5.com:2082
cPanel version 11.40.1.17 outdated: Upgrade required.
Outdated cPanel Found: cPanel 11.40.1.17
Outdated Web Server Apache Found: Apache/2.2.11

polonus

Ran the URI debugger on the redirect: GET //wXw.site5.com/p/biz-domain-names/ HTTP/1.1
See: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fwww.site5.com%2Fp%2Fbiz-domain-names%2F&useragentheader=&acceptheader=
Host: wXw.site5.com and from location protocol I get htxps://s.adroll.com" : "htxp://a.adroll.com
Frowned upon here: https://www.mywot.com/en/scorecard/adroll.com?utm_source=addon&utm_content=popup
This site has been blacklisted by a WOT third-party trusted source. Listed in OpenDNS’s Block Tool
and s dot adroll dot com is also listed in OpenDNS’s Block Tool http://forums.opendns.com

polonus