My URL is: http://portprep.com/wp
Before I ask for your help, I'd like to share with you what I've done so far.
I have read countless resources on how to get rid of malware from the site I'm managing. I've narrowed down my research to this comprehensive resource: http://www.seotakeaways.com/malware-removal-checklist-for-wordpress-diy-security-guide/
Using this, I was able to detect the script that was considered as malware:
[ Malware script redacted ]
http://ninjafirewall.com/malware/index.php?threat=2013-08-21.02
I was able to detect this from the header.php (in /wp) and press-this.php (in /wp/wp-admin). Aside from those files, I can't find anything else. I also cannot find invisible IFRAMES on any of the relevant pages as indicated in the resource I was using (.htaccess, wp-config, etc.).
I have also:
changed the password for WordPress (I can't change the password for FTP and cPanel access)
added a CAPTCHA to WordPress log-in
changed WP security keys/salts
change file permission (to 755)
created a 503 page for the site (which seems useless because the malware warning still appears on the browser - I know it's supposed to inform crawlers that the site is under maintenance, but having the warning appear before being able to view the page from a user's perspective kinda destroys the purpose of a 503. But maybe I'm just misinformed).
Still, Google Webmaster Tools and Sucuri Malware Scanner found malware on more than 50 pages in our site. http://sitecheck.sucuri.net/results/portprep.com/wp
What else did I miss? Did I do everything correctly and just wait until Google waives off the penalty?
I don't want to delete everything on the site since it's just as tricky to restore everything from scratch, but if there's no more hope, how should I go about reinstalling the files?
Thanks in advance for your advice!