I've seen several references to the W3 total cache malware problem being fixed.
I just downloaded the latest plugin files directly from the WordPress Plugin directory on WordPress.org's own server, and the W3 readme .html file contains a link to a site identified by Google as malware.
I found the malware link using WordFence, just after doing a malware scan, and the results were that WordFence found a link in that readme file (I will not post the name of the link file here, in this space). If anyone finds the link in the readme.html file, and then cuts and pastes the link into a web browser, they are presented with an immediate: "Something's not right here" malware notice from Google.
My solution: Delete the readme.html file.
Honestly, doesn't anybody check these things before plugins are put in the repository? This is the latest version of this plugin, and the link's presence and ultimate Web destination are undeniable.
How it got there is best left up to better detectives than I am.