Possible Pharma Hack?

Hi all!

I’m looking for any sort of help I can get at this point. I’ve exhausted many of the options that I’ve found on the net and so far continue coming up short. First of all, the problem:

My website doesn’t have any actual spam on it that I have been able to find, but of course Google has hundreds of returns for posts that feature titles and descriptions for Cialis/Viagra products. You can view examples here:

https://www.google.com/search?q=site%3Awww.variedcelluloid.net+%28online|pharmacy|cialis|viagra|xanax%29

On some posts I make on Facebook, pointing towards specific posts, it also returns with the spam title tags and descriptions. However, the majority of the pages you’ll find in the above google search lead to “Nothing Found” results. The posts do not seem to exist. However, they still show up in my Google Webmaster Tools under duplicate titles/descriptions. Now, there are some legitimate posts listed in those results above, but when you click on the link everything seems to come up fine.

With the pages that return fine but show up with spam titles/descriptions, I have tried fetching them with Googlebot, looking for out-of-the-ordinary scripts or pharma-related keywords, but nothing comes up.

I’ve replaced the WordPress core files in the recent past. I might try it again sometime soon though and maybe look into deleting any unnecessary files/plugins. I recently had WP Super Cache, but deleted it because I had heard it might be a liability. Unfortunately, I’m afraid that if I start disabling plugins it may take weeks to get results. Afterall, nothing actually “shows” on the website, it’s all about the google results.

The site comes up as clean through websites like Sucuri. Sucuri even says “no spam.”

I’ve used grep, looking for any files that feature “base64_decode” and found very little to worry about. The only ones that seemed somewhat worrisome started off with lines that said…

“Deprecated functions from past WordPress versions. You shouldn’t use these functions and look for the alternatives instead. The functions will be removed in a later version.”

Still, I couldn’t find anything online that said these files (all with varying titles) were pharma/spam/malware related.

I’ve looked for the following files but do not appear to have them:

akismet.old.php
class-akismet.php
wp-akismet.php
db-akismet.php
.akismet.cache.php
.akismet.bak.php
db-pagenavi.php
class-pagenavi.php
ext-podpress.php
ext-tweetmeme.php
db-editor.php
.tweetmem.old.php
*query.js

I’ve found nothing out of the ordinary in any .htaccess files.

In phpmyadmin, I’ve looked under wp_options / option_name for:

class_generic_support
widget_generic_support
fwp
wp_check_hash
ftp_credentials
rss_7988287cd8f4f531c6b94fbdbc4e1caf

No luck with that. While in phpmyadmin I did a search for “viagra” and came up with 156 results coming from statpress, but these seem to come from URL requests. I’m not sure if that’s something I need to worry about. Any ideas?

I’ve went through the following posts already:

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://blog.aw-snap.info/2011/02/pharmacy-hack.html
http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html

I’m just hoping that someone on here has spotted the same situation. I have not seen many discussions amongst others who have had the same “phantom posts” problem that I am confronting. It has tremendously dropped my page rank and I would really like to do something about it. Any help would be greatly appreciated!