I had seen a post on Twitter about a bunch of MediaTemple accounts getting infected with this virus a few days ago, and it’s no surprise that the host hasn’t done anything about it yet. When I went to a client’s website during a call, Kaspersky caught the malicious code right away. Having a little experience removing the viruses from WordPress sites, I figured I’d give it a shot and see what I could do to help. The solution seems to have worked. Important – make sure you have good, up to date antivirus software on your system before messing with infected websites. I recommend Kaspersky over everything else. I am not responsible for you infecting your computer.

  1. Download all of the files from the infected website, including the theme and uploads, and make a note of which plugins are installed on the site. Save these files in a new folder named “infected files.”
  2. Export a copy of your database using PHPMyAdmin. This can normally be done through your hosting control panel. If you’re on MediaTemple, login and go to  “Admin” > “Databases” and you will see a list of the db’s in your account. Click the “Admin” button to bring up PHPMyAdmin. If you’re not sure which db your site is running on, you can find out by looking at the wp-config.php file you downloaded in the “infected files” folder. Open wp-config.php in notepad or wordpad and you will see all of the database information. Once you are in PHPMyAdmin, simply click on the export tab, leave the default settings, click the “Save file” checkbox, and click “go.” Save the file in your “infected files” folder.
  3. Export an XML copy of your WP site just in case you need it. In the infected website’s admin, go to “Tools” > “Export” and export an XML copy of the site. This is just a precautionary measure in case you have trouble with the SQL file. This file can be cleaned as well. The XML file won’t restore your site as completely as the SQL file will though.
  4. You now should have a full backup of the infected site.
  5. Delete all of the files on the server through FTP.
  6. If you are on MediaTemple, change the password for your db user, because they use a master db username that has access to all of your databases. Beware that this step can affect other database driven websites in your account. You will have to change the pass in config files for any other websites that use db’s on the same account if you do this.
  7. Dump all of the data from the database of the infected site. Click “Structure (tab)” > “Check All” > “With Selected:” > “Drop.” Confirm. This will delete the whole database.
  8. Purge the backup copy of the database of the MySQL injections. Open your backup copy from step 2 (an .sql file), in a plain text editor (like notepad, wordpad, or you can even use dreamweaver). Use the “Find and Replace” function to search out instances of the injection, which in this case is “<script src=”http://ae.awaue.com/7?></script>.” Replace with a blank space or nothing at all. This whole line of code needs to be removed.
  9. Double-check the db for any of the malicious code by doing a search for “awaue.com” and deleting anything you find.
  10. The same 8 & 9 steps can be done with your XML backup if you need it (only if you have problems with PHPMyAdmin).
  11. Download and install a fresh copy of WordPress and any plugins you were using on your infected site. Do not upload the old files. Leave the default settings.
  12. Open all pages of your old theme in a program like Adobe Dreamweaver and check to make sure it doesn’t contain the “ae.awaue.com” script reference anywhere. It shouldn’t because these appear to be sql injection attacks, but it’s always best to double check. You can also scan the folder on your hard drive using your antivirus program. If it looks ok, you can upload it to the new WP installation.
  13. Import your cleaned MySQL backup using PHPMyAdmin. Go back to PHPMyAdmin, “Import (tab)” > Browse to your cleaned backup, and click “go.” This should restore all of your site – posts, users, and settings.
  14. Change your admin password and reset the passwords for all of the users on the site as an extra precautionary step.
  15. If you are missing some images from your site, they will be in the “infected files/wp-content/uploads” folder. Scan it with your antivirus program, and upload it to the new site if it checks out ok.
  16. If your website is throwing some strange errors, you may also have to upload your old .htaccess file from the “infected files” folder. This is another file that can be opened and checked with a text editor.

After taking these steps your WordPress site should be clean from Trojan.JS.Redirector.cq.