Hi goodwitch and also Steven Winderlich,
Will try to cover this general IP block, as that is what I think it is, and I came up with this in depth information for you. Para-Noid was right on spot with his assumption!
In a sense Steven Winderlich may be right there is no actual malware at the site at this moment, also as the avast! detection is a general one, URL:Mal, which could also be a general IP block (because of malware residing there). Here the most likely cause for the flag is that that site is known to be a notorious malvertiser in the Russian Business Network, see:
http://urlquery.net/report.php?id=6500985 IDS alert for "ET RBN Known Malvertiser IP (17) ", hence a general IP block. * The Current IP is pulled in realtime so may differ from the IP we have on record. And this info comes from a scanner that flags this site also:
http://hosts-file.net/?s=care2.com There are domain or netblock problems ->
http://hosts-file.net/?s=Help#ipresolveThis is a site with a PSH qualification, that means a PHISHING site, Severity: High Risk.
The recommended security scan at Sucuri's provides us with the following info:
Sucuri
web site: care2 dot com
status: Site blacklisted, malware not identified
web trust: Site blacklisted* . * = Site found to be used on spam campaigns (either forum, comment or SEO spam).
*Cached results from more than 2 days ago.
Security report (Warnings found):
error Blacklisted: Yes
error Likely compromised: Yes
This VT report may be the reason why avast! Web Shield may block that IP:
https://www.virustotal.com/en/ip-address/63.146.170.87/information/Furthermore the Project Honey Pot system has detected behavior from the IP address 63.146.170.87 that is consistent with that of a Bad Web Host.
Code to be checked: d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90 benign
[nothing detected] (iframe) d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/110;s=1;d=14;w=728;h=90
status: (referer=www.care2.com/)saved 5063 bytes 891a0bdc31476e3e662b1fe5381599a27a23a151
info: [iframe] d3.zedo dot com/jsc/d3/ff2.html?n=885;c=864/
info: [script] d7.zedo dot com/bar/v17-010/d3/jsc/gl.js
info: [iframe] yads.zedo dot com/ads3/a?
info: [decodingLevel=0] found JavaScript
error: undefined variable Image
error: line:5: TypeError: Image is not a constructor
suspicious: ->
http://www.mywot.com/en/scorecard/d3.zedo.com?utm_source=addon&utm_content=popup-donutsReport quote there from Puddin Tame
multi-site tracking, profile building, click hijacking, and deceptive ads that look like legitimate items (e.g. a news article) but are actually adverts. Zedo is so large (and likely profitable!) that they probably don't engage in out and out evil behaviour like spreading viruses, but the basis of their entire business is collecting as much of your information as possible, with or without your consent."
But they try to clear their slate here:
http://www.mywot.com/en/forum/5423-zedo-is-not-spyware-or-malware?new=1348893595#newgo through the discussion there and make up your own point of view ( on a side-note: I personally like to block such annoying pop-up ads, but that is me)
Then there are insecurities there flagged at Quttera's:
/polls/vote?pollID=35265&results
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [['<span class="comment-pages">Most Recent ... </span><span class="comment_link_selected">Oldest</span>']] of length 12025 which may point to obfuscation or shellcode.
For threat dump see:
http://quttera.com/detailed_report/care2.com#ReportTabPotSuspFile size[byte]: 59429
File type: ASCII
MD5: B9ED749D954024F7F6285946D292B8FC
Scan duration[sec]: 0.427000
Well that more or less covers it all,
polonus