Its not funny when a visitor sends email to the webmaster saying Avast is throwing pop up for harvesting trojan horse, while the situation is the gzipped cached version is delivered to the visitors via wp supercache plugin (its WordPress).

Here is the screen shot from our visitor :

http://dl.dropbox.com/u/21598651/Avast-block.jpg

With this text (exactly copy pasted) :

Hi,

lately Avast pops up with a warning (see pict linked under website) and I don’t know what to do. I do not believe you’re trying to infect my pc.

Regards,

(Name hidden to protect visitor’s privacy)

Similar topic can be found in this thread of Avast from the end users : http://forum.avast.com/index.php?topic=74347.0

All ads are served Via Google’s Ad network (either AdSense or Double Click Partner network).

There is no malware issue with our server or the zone. Norton and Google gives green signal.

Let us know the solution. We can not ask our visitors to either stop using Avast or turn it off.

The domain got problem is here : hxtp://thecustomizewindows.com

Sucuri says infected…!
http://sucuri.net/malware/malware-entry-mwjs2368

Hi Abhishek459845, welcome to the forum

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

It seems avast (and sucuri) is alerting on a javascript file on your website, that seems to contain some malicious script.

The specific alert is:

hXXp://thecustomizewindows.com/wp-content/plugins/wp-minify/min/?f=wp-includes/js/l10n.js,wp-includes/js/jquery/jquery.js,wp-content/themes/genesis/lib/js/menu/superfish.js&m=1314678661

And that appears to be multiple js files?
So you need to look at the js files and remove the offending code. Perhaps a backup of a previous version.

Thanks for the excellent help.

./wp-includes/js/l10n.js?ver=20101110 and ./wp-includes/js/jquery.js?ver=1.6.1 was infected. These are core WordPress files, so simply deleted them and added from WordPress repository.
Probably came from CDN we have abandoned few days ago for other serious issue.

Still, we will keep an eye on the site’s status.

Yes, they are minified and combined. All fixed ;D

http://dl.dropbox.com/u/24611920/clean-now.png

Thank you very much again.

You’re welcome…!

You’re welcome, glad to help

@Abhishek459845,
If you’re using WordPress make sure you have the latest updates installed.
There have been some problems with attacks not long ago.
http://codex.wordpress.org/Updating_WordPress

Hi bob3160,

The policy should be; cleanse, restore from backup, then have the latest updates installed.

polonus

Thank you Asyn, spg SCOTT, bob3160, polonus.

Yes, everything is up to date of the WordPress installation. The full installation has been restored from the backup (scanned before updating with it!) today.

Probably that or some variant of the exploit was used.

@bob3160 : I came to know today from Mrs. Corrine, that she knows you since many years! Great.

Yes she and I have had a few conversations over the years, Thanks for the link.
I knew it was her site as soon as I saw the roses.