Hi
Ok, if you can’t get into wp-admin you need to try to reset your credentials. If you get a message saying that the email doesn’t exist, and you’re sure that it does, then the odds are your account has been removed by the hacker. You’re going to want to log into your host administrator panel, access your database and manually overwrite the users. Some guidance on that here: http://codex.wordpress.org/Resetting_Your_Password
As for that scounter injection, yes, you’re going to want to check all your JavaScript (JS) files, that where it usually like to hide, specifically at the bottom of the files.
You can try searching for it via GREP in terminal. Its often not just one file, often all your JS files to include those in your theme and core files.
Happy hunting, let me know if this helps.
Oh, I forgot, When you’re done with the removal and it shows cleared on SiteCheck then proceed with submitting it to Google for deblacklisting.
SiteCheck uses the Google API when it flags, so just click the Blacklisting tab and it’ll tell you who it’s pulling the blacklisting from.
Cheers.
@perezbox
I think it’s not so bad.
Earlier today I was doing some activities in my wp-admin. After logging out and restarting the computer, when I was just logging in, there appeared that blacklist announcement (from Firefox) and then redirect to log-in screen.
I tried IE and I managed to log in to wp-admin via IE.
Now only the problem of that injection.
@anemoone good to hear on the users issues, but you’ll still want to clear that scounter injection to get off Google’s radar.
@perezbox
I’ll follow your instructions against that injection. In case of success I’ll submit my blog for deblacklisting.
So far I didn’t find that long code shown after the scan on sucuri.net. The number of .js files is quite big. Besides some of them are placed in css sections.
But thanks to one of the plugins I’ve found a code that is very similiar to the one I’m looking for, which ii also starting with “scounter”. It was placed in three themes (out of four I have left), in functions.php, also at the bottom of the files.
Now the site is clean acording to sucuri.net scanner.
