you can always upgrade the plugin or if in the theme get updated theme or just upgrade timthumbs yourself
How you do check the database to see anything unusual? I used the phpmyadmin and went through the tables, it seems fine and i didn’t see any iframes.
From my experience it usually is not db. I just search for some of the ads in the db that you had on the side. If search shows nothing usually it is fine. I only seen one time when fixing a board in my experience db was infected. Usually it is files or the theme.
Did you check your theme files (i.e sidebar.php)?
The other possibility is that someone got the name and password of an administrator account (you didn’t leave the defaults, did you?). Just in case, log in as an administrator and change the names and passwords of all accounts, specially the ones that have admin powers
I’ve checked every file in my theme and I didn’t see the codes where injected or any changes where made to the file.
I already delete the default admin after i install the wordpress and created a new admin.
Make sure you do not have the username as admin.
Also i always suggest one you have for posting your threads and another just for admin purposes. That way if you get hacked they can only make posts and do not have access to everything. If you need to change username there is a mod that does that. Also make sure your site does not have admin under your name.
This is what I meant. Use the original admin account, then create a second account with a different name as admin and delete the original admin account.
WP is easier to hack if the admin account is named… admin! 
Well great minds think alike. -molona
sky did everything work out then with the mods and replace timthumbs
The main reason for what a WordPress website got hack is if you are having a virus in you computer that stealing your information or your easy wp-admin password…!
I did what you guys said and installed couple security plugins. Also, the username is not admin. Right now I haven’t see those small texts yet on the sidebar. I think there’s a file called general template was modified and I uploaded the original one again.
My account got recently hacked too 
you have to take precautions. For me those precautions damaged my WP installation, which super sucks! I suppose who should never completely trust plug-ins and only install those with 4-5 star rating. Can you let us know which security plug-ins you installed on your account.
These are suggested by mmoore5553
wordpress security plugins
wp-malwatch
bps security
wp security scan
better wp security
BulletProof Security
Secure wordpress
Ultimate security checker
Yes i use all those plugins and follow the advice in them and all the sites i have worked on has made it very secure.