I was sent a URL earlier, that redirected to fake meds (surprise surprise). Checking further however, I arrived at the sites homepage to discover two scripts being loaded, one from a site that has now been cleaned, and another loaded from 188.8.131.52, that is still there;
Trying a quick check, Malzilla, JSUnpack etc failed to decode it, so I figured I'd wait until I had a few mins spare, to do it manually. A look over the code showed the problem - the interpreters couldn't handle the way the script worked, so it required heavy modification to get it to decode.
I can't post the scripts themselves here, as your AVs will go haywire if they've got heuristics enabled, so will post screenshots instead.
Original (before modification)
The result of this, is a lovely little iFrame;
the iFrame itself is the blackhole exploit, loaded from;
This is currently residing at;
IP PTR: Resolution failed
ASN: 34594 184.108.40.206/17 OT-AS OT - Optima Telekom d.d.
Personally I'd recommend putting a block on it if you've not already. I'll leave the decision as to whether to block just the IP or the entire range, up to you.
freewww.info itself is a dynamic DNS service operated by ChangeIP, a service heavily abused by miscreants (not all together surprising, but very disappointing that like no-ip.com and the likes, they're still seemingly doing very little to put a stop to it).