been hacked

Right now my antivirus “avast” is reporting that a comment.php file is virused … deleted that one from a folder where I think that should not be “wp-content/uploads/…/comment.php” but still the website show those messages.

🙁

Colin, us much I know I have looked to everything Andrew sent it to me. But as I have told I’m a newbie, i’m just a biologist and photographer (or try to be).

No time to do all websites so was a delay in solving the problems. To me no strange links appear anywhere on any website (I have checked this on several different system, on PC and on MAC). But will also send everything to a friend to check them another time.

The Hack Repair Guy everything was recovered from backup and looks clean with an dexception.
In http://plants.nature4stock.com/ over the icons with my links I have an empty space and for there looking with inspect element from Chrome I have a code that I don’t recognize and I don’t know how to get rid off.

[ Malware code deleted ]

I was not able to find in what file is this code inserted. Anyone seen this code? Know how to get rid of this?

Thank you,
Cosmin

now I see that the code I have wrote from http://plants.nature4stock.com/ was deleted.

Here it is again and hope that now can stay here.

<ul>
	<script type="text/javascript"><!--
        google_ad_client = "pub-9312294701485395";
        google_ad_width = 125;
        google_ad_height = 125;
        google_ad_format = "125x125_as_rimg";
        google_cpa_choice = "CAEQ6fqXhAIaCO_mwRos0nIlKK2293M";
        google_ad_channel = "2887620906";
        //-->
        </script>
        <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
        </script><ins id="aswift_0_expand" style="display:inline-table;border:none;height:125px;margin:0;padding:0;position:relative;visibility:visible;width:125px;background-color:transparent"><ins id="aswift_0_anchor" style="display:block;border:none;height:125px;margin:0;padding:0;position:relative;visibility:visible;width:125px;background-color:transparent"><iframe width="125" height="125" frameborder="0" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" scrolling="no" allowfullscreen="true" onload="var i=this.id,s=window.google_iframe_oncopy,H=s&&s.handlers,h=H&&H[i],w=this.contentWindow,d;try{d=w.document}catch(e){}if(h&&d&&(!d.body||!d.body.firstChild)){if(h.call){setTimeout(h,0)}else if(h.match){try{h=s.upd(h,i)}catch(e){}w.location.replace(h)}}" id="aswift_0" name="aswift_0" style="left:0;position:absolute;top:0;"></iframe></ins></ins>
	</ul>

and this continue … hope that this code that i have found with inspect element from Chrome can be visible and maybe I can get a solution.

Thank you Colin, they just really don’t care after more than a week of changing messages just succeeded to receive the backup from them 🙁 .

Thanks,
Cosmin