create_jcarousel vulnerable - remote inclusion vulnerability?

See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fbhcsecretaries.co.uk&useragent=Fetch+useragent&accept_encoding= (go to scripts)
3 flags: https://www.virustotal.com/en/url/835269aba6a36ce7d58b19928bf3d4599b6fcdf2df9917c6fac1d8d282d79734/analysis/1429443942/
Quttera flags three malicious files: Severity: Malicious
Reason: Detected reference to blacklisted domain
Details: Detected reference to malicious blacklisted domain wXw.bhcsecretaries.co.uk

Outdated Web Server Apache Found: Apache/2.4.9

blacklisted domains: wXw.bhcsecretaries.co.uk
-bhcsecretaries.co.uk

List of blacklisted external links: 100 zie Quttera scan.

IP badness history: https://www.virustotal.com/en/ip-address/79.170.44.83/information/
Avast detected Win32:Malware-gen communicating with this IP address.

polonus