Hi,
I have a problem of cleaning one of my friends sites from malware "found" by google adwords, because I can't detect the bad file/s, I want to ask you for helping me with this issue.
We get regularly an email by google adwords, that they have to stop a campaign, because of malicious content. So we took some steps to identify and remove it including
- moving the site to another server
- installing wordpress instead of just moving it
- installing of all needed plugins
- installing of new clean version of theme (but copied self-made modifications, after checking the files)
- copying images in wp-content/uploads to new server. Deleted everything, thats not an image or pdf from that folder
- searching database for iframes etc. then import it to the new site
- scanned it with wordfence, Anti-Malware Security and Brute-Force Firewall and LMD without any results except for some harmless "changes" in core files added by the german version
- Checking google webmaster tools (it says everything is safe)
After calling adwords, they have sent me an email with a link, which looks like malware by teaserguide look here or here (can i post the complete link which they have sent me here?).
As default_keyword there is a link to this site, but i can't find anything about an iframe in the source code.
I have searched in all website files for "var a="'1Aqap" without any results. header.php, nav-menu.php and .htaccess don't look weird.
Do you have some ideas, what else I can do to find the evil file/entry?