A co-worker's WP installation is flagged "Infected!"
All the two dozen or so earlier .sql backups are similarly infected.
I looked around the latest raw .sql file and found obvious rogues, then I used phpmyadmin on my desktop to delete the rogues, and re-installed the database, online to the server.
The database is compromised by 200 or so nonsense URLs that are easily identifiable by derivatives of author "jonn" and by IDs in the sql file, for example a small extract is shown (1) below.
In phpmyadmin, I deleted entries "askimet as submitted" and "askimet result" in the 1.5Mb .sql file - screenshot (2)
It did not resolve it and the project is still flagged "Infected!" by my Avast AV program.
Please ... will you add to my learning-curve by suggesting what I am not doing?
** In anticipation, thank you. If I have missed a help/faq entry already on these forum pages, it is not for lack of looking pretty hard for three hours.