My wordpress site infected by JS:Redirector-NT [Trj], please help

When I searching for this issue I see lots of wordpress user posted about the trojan infection in this forum. Same thing happened with my wordpress gaming site.

When I try to open my site ifreecrazytaxigames.com, my avast antivirus show this infection JS:Redirector-NT [Trj] and connection aborted. I informed my hosting service provider about the issue, but they could not able to find out the this infection.

Can any one please look into my site and inform me how can I remove this infection.

check your site here:

http://sitecheck.sucuri.net/

The malware is located here

-http://ifreecrazytaxigames.com/category/truck-games/
-http://ifreecrazytaxigames.com/crazy-taxi-be/

malware info: http://sucuri.net/malware/malware-entry-mwjs150

wepawet
http://wepawet.iseclab.org/view.php?hash=e525d283e297b5e0f7f2631dec5417d3&t=1328538258&type=js

VirusTotal
https://www.virustotal.com/file/66d5e8173889ffbb1030f229455ab20d906b0746200bb25e49426c765022dc75/analysis/1328538593/
https://www.virustotal.com/file/1750f6ae375577a5b198a54b789d4c4d7d57b0eb9705f66a8c8b9d7f4ed23a64/analysis/1328538702/

This is suspicious inside the code:
-xs.mochiads.com/static/pub/swf/leaderboard.js suspicious
[suspicious:2] (ipaddr:23.15.7.81) (script) -xs.mochiads.com/static/pub/swf/leaderboard.js
status: (referer=-ifreecrazytaxigames.com/category/truck-games/)saved 14370 bytes feb68d3c9cb1014d17f3fca533b50b34aaac0373
info: [javascript variable] URL=-xs.mochiads.com/static/pub/swf/
info: [javascript variable] URL=-x.mochiads.com/mochiBridge/
info: [script] :
info: [decodingLevel=0] found JavaScript
suspicious
and -www.facebook.com/plugins/like.php?href=http:/ifreecrazytaxigames.com/crazy-taxi-be/&locale=&layout=count&action=like&width=92&height=20&colorscheme=light suspicious
[suspicious:2] (ipaddr:69.171.224.11) (iframe) -www.facebook.com/plugins/like.php?href=-http:/ifreecrazytaxigames.com/crazy-taxi-be/&locale=&layout=count&action=like&width=92&height=20&colorscheme=light
status: (referer=-ifreecrazytaxigames.com/crazy-taxi-be/)saved 1466 bytes 5692e78b88c5679844f2950c44d45d315d0e4db7
info: [meta refresh] URL=www.facebook.com/common/browser.php
info: [decodingLevel=0] found JavaScript
error: undefined function window.location.replace
suspicious:

polonus

Avast is reporting JS:Redirector-NT [Trj on my site , can you please take a look and point me what code may be wrong ? the site is WEBKINSON.COM

I am now getting it on my site. - hxxp://gaysitgesguide.com/serendipity/2012/02/03/carnival-at-el-candil-sitges-2012/

I have run a webscanning software on the site, but no luck… :-\

Not only avast detect on it
https://www.virustotal.com/file/4aad3097e299d62415858cba7fc64d41268217528d6a5926b2f86a436ddb8052/analysis/1328565886/

wepawet
http://wepawet.iseclab.org/view.php?hash=6ae7c6290ea4f6ee7c2f403a32f49ab3&t=1328566335&type=js

Sucuri report: wordpress outdated
http://sitecheck.sucuri.net/results/http://gaysitgesguide.com/serendipity/2012/02/03/carnival-at-el-candil-sitges-2012/

No detection here
https://www.virustotal.com/file/48dbaf9b3d5ab838cc744c8af15e2acec118814117a8468e843ccc221c44829e/analysis/1328566127/

Wepawet - Suspicious
http://wepawet.iseclab.org/view.php?hash=e47bd737c3d0576a8bb3dca6dfb3daaf&t=1328566353&type=js

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks. (You too Pondus ;))

It’s there.

It will be easier to follow these topics if everyone creates their own topic…Please can that be done?

Hi spg SCOTT,

Fully agree that new victims should start their own new thread, and not add their related case into an existing thread. This will not help rather complicate analysis and explanation of the malcode at hand.
Also making the link non-click-through is a precaution for obvious reasons (infection related and/or web-content related issues could demand this). Furthermore website owners and webmasters should refrain fromgetting and implementing free plug-ins that they can find anywhere on the Internet. A lot of those plug-ns are suspicious or malware ridden or are risky because they have vulnerabilities or are not fully updated and patched, and so are hackable and injectable. One such plugin-module in this case might be wp-content/plugins/jetpack/modules/wpgroho.js, verdict suspicious,

polonus

Hi as per you mention here, I figure out both of the infected location on my site and rectify it. Now virus infected notification is not showing when I open my site. Please have a look on my site and please let me know whether my site is still infected.

I have also another website that is coolmathgamesonline.net, which is also infected, please inform me the exact location of infection on this site.

Hi I have checked my site that is hxxp://coolmathgamesonline.net through that online scanner site, there nothing any virus alert showing. But when I open my site on browser Avast alert me for virus. Please guys help me how I will recover from this issue. I even downloaded the files on my local harddisk, scan the files but no any virus threat shown on the files.

Can u give us a screenshot of the alert.

Sure here is the screenshot.

Hey! u are using a old version of avast! download the latest free version from here:

http://www.avast.com/free-antivirus-download

Here is the screenshot of Avast alert when I try to open the site hxxp://coolmathgamesonline.net.

Yes you are correct. That is one old version. But now I attached the screenshot of new avast antivirus alert when I try to open the site coolmathgamesonline.net. I installed the new avast by uninstalling the old one few hours back…

hxxp://coolmathgamesonline.net/wp-content/themes/NextWPA/js/jquery-1.2.3.pack.js

It seems like that the problem.

I just downloaded my theme, plugin and other correspondent files and then scan with new avast antivirus but no any threat alert shown. How will I distinguish the threat now?

And the strange thing is when I open the site first time on my browser threat shows, but later when I open the homepage or other pages threat does not show.

Hi it seems that you are from India. Can we please discuss my problem through chat for the first response. Sorry moderator if this is wrong, please delete my reply.