See: http://chrome.quttera.com/chrome_detailed_report/www.proticaret.net
In the code escaped characters above (, %3a, %2f, %2f, %2f, %3a, %2f, %2f, %…) decodes to something like → :///:///|:///|:///:///|:///:///|
\n (a links ID)
The unknown html malware seems still active, logged: Created socket 9. Releasing 0x08ca7810 (new refcount 1) connection from
212.175.22.10
Looks like escaped anchor tags. Are there any specifics to where you find these values?
As you can see :/// is the pattern in your research. The general full-domain anchor syntax is http://www.avast.com/, which matches your pattern perfectly.