![\"Rogue](\"https:\/\/gillin.com\/blog\/wp-content\/uploads\/2010\/05\/Bad_code.png\" "\\"Bad_code\\"")
<\/a><\/p>\n<\/p>\n\nFirst, the disclaimers: I\u2019m not a programmer and I can\u2019t guarantee that this solution will eradicate the virus once and for all. It\u2019s possible that the creeps who developed it have hidden code somewhere to resurrect it at a later point, so I will post an update few days from now. Also, you should back up your database before attempting any recovery. It\u2019s probably also a good idea to back up the infected files to a safe directory on your computer in case something goes wrong.<\/p>\n
\nThat said, here goes. This fix is for Windows, but the Mac version should be pretty similar:<\/p>\n
1.<\/strong> You\u2019ll need to download and install two open-source programs \u2013Filezilla<\/a> and Notepad++<\/a> \u2013 before you get started.<\/p>\n 2.<\/strong> Open Filezilla and connect to the FTP server where your WordPress installation is located.<\/p>\n 3.<\/strong> Now you\u2019re going to create a filter in FileZilla to download and upload only PHP files. This will save you a lot of time because you won\u2019t be sending large image and audio files back and forth. Go to \u201cView –> Filename filters..\u201d and choose \u201cEdit filter rules…\u201d Create a new rule called \u201cPHP\u201d or whatever you want. In the \u201cFilter conditions:\u201d drop-down menu, select \u201cFilter out items matching none of the following.\u201d\u00a0 In the space below that, choose the drop-down menus \u201cFilename\u201d \u201ccontains\u201d and type \u201cphp\u201d into the box. See screen grab below.<\/p>\n 4.<\/strong> Then \u2013 and this is important \u2013 uncheck the box that says \u201cFilter applies to: Directories.\u201d If you don\u2019t uncheck this box, FileZilla will only download files in the root folder and miss all the sub-folders. Click OK.<\/p>\n 5.<\/strong> Back in the \u201cDirectory listing filters\u201d dialog box, check the boxes next to your new PHP filter name in both the \u201cLocal filters\u201d and \u201cRemote filters\u201d columns. Click OK. Your file transfer filter is ready. 6.<\/strong> In the \u201cLocal site:\u201d window on FileZilla, create an empty directory on your computer where you can store the PHP files you download. In the \u201cRemote site:\u201d window, navigate to the directory containing your blog. This will be the one with the folders called wp-admin, wp-content and wp-includes. You actually won\u2019t see those folders at the moment because your filter is on. If you want to check, temporarily disable the PHP filter to be sure you\u2019re in the right directory.<\/p>\n 7.<\/strong> In the \u201cRemote site:\u201d window, select all files (CTRL-A), right-click and choose \u201cDownload.\u201d The PHP files will start downloading into the new directory you created, preserving the file structure of the server. This should be pretty fast, because you\u2019re only downloading text files.<\/p>\n 8.<\/strong> Once the download is complete, open an Explorer window and navigate to the directory on your computer where the PHP files are located. Right click and choose \u201cOpen with\u2026\u201d and then navigate to the Notepad++ directory and choose the file called \u201cnotepad++\u201d.\u00a0 Select this as the default for opening all PHP files.<\/p>\n \nNotepad++will open with all the files you\u2019ve selected in separate windows. Flip through the windows until you find one containing the rogue code at the top.<\/p>\n 9.<\/strong> Select all the characters between the first two occurrences of the \u201c<?php\u201d characters. Include trailing spaces. 10.<\/strong> If all has gone well, you should still see part of the rogue code in the window in front of you. This is because Notepad++\u2019s\u00a0 \u201cFind what :\u201d field can\u2019t hold all the characters you need to replace. So you\u2019re going to have to run another find and replace. Simply select the remaining bad code and repeat the previous step to find and replace all incidents in the files. If all has gone well now, the file in front of you should be clear of all bad code. Save that file and any files that are open in other windows and exit Notepad++.<\/p>\n 11.<\/strong> Go back to FileZilla and upload all the PHP files, being careful to choose the same directory from which you downloaded them originally. When the challenge box pops up, specify \u201cOverwrite\u201d and \u201cAlways use this action.\u201d\n<\/p>\n \nTry to open your site again. It should be back to normal. If it isn\u2019t, upload the bad files you had stored in a separate directory and try something else, because this obviously wasn\u2019t the bug you had!<\/p>\n If the fix works, be sure to change your database and WordPress passwords. And let me know either way whether this did the trick!<\/p>\n","protected":false},"excerpt":{"rendered":" I spent several frustrating hours this weekend trying to recover from a nasty virus that has hit WordPress installations on Network Solutions and Go Daddy, which is my hosting service. After wasting many hours fiddling with wp-config files and backing … Continue reading <\/a><\/p>\n
\n<\/a><\/p>\n
\nIn \u00a0Notepad++, choose \u201cSearch –> Find in files…\u201d The dialog box that pops up will look like the one below. The text you selected should already be inserted into the \u201cFind what :\u201d field. Delete anything in the \u201cReplace with :\u201d field. Then choose the navigation button to the right of the \u201cDirectory :\u201d field and navigate to the folder containing your PHP files. Click OK. The program will respond with the challenge of \u201cAre you sure you want to replace all occurrances [sic] of\u2026\u201d Click OK. Notepad++ will churn away for a few seconds and then show you how many files it has changed. The number may astound you.<\/p>\n<\/a><\/p>\n