What you will need:
1. The Firefox Browser
2. The AdBlockPlus plug-in for Firefox
3. A text editor (I used TextWrangler)
4. An FTP client (I used Fetch because the guy is from Dartmouth)
First, confirm that you are infected. Using Firefox go to the page that you think is infected (in my friend's case it was every single Wordpress page including the Admin Dashboard). Then, using AdblockPlus select "Open blockable items" per the image on the left.
If you are infected, you will then see
http://go00ogle.net/if.phpas one of the scripts (just like in the picture below). You will probably see a bunch of different scripts compared to the picture depending upon your particular configuration (Wordpress version, Plugins, etc.). You can click on the image to enlarge it.
Once you've confirmed that you are infected, you will need to find which of your scripts is calling up the malicious script. Because the little evildoers are a bit sophisticated, you won't simply be able to look at the Page Source, instead you'll need to wade through all the other scripts on your page. The easiest way to do this is to load each script by loading the full URL into your browser and searching through it.
With AdBlockPlus, right-click on each script (except
http://go00ogle.net/if.php), and click
Open in New Tab. (You can enlarge the picture below for a closer look).
You will see a whole lot of what looks like gobbledygook, but what you're looking for is the code below:
In my case it was a bit more nicely formatted as per the picture below (click to enlarge).
An easy thing for the bad guys to do is to change the code slightly to make these instructions no longer valid - therefore they may change the above text slightly so it's not exactly the same. [Update]: Looks like they've already begun to modify it, see the comment from 12 August below.
In my case, the infected file was
podpress.js, but this won't always necessarily be the case. Since writing this I've heard of someone else having their
load-scripts.phpfile being infected instead.
Per the screen shot of AdblockPlus below, I now know the full path to the infected file (click to enlarge)
So then it was just a matter of using my FTP client to download the file, remove the offending bit of code with my text editor, save it and re-upload the file back to the server.
It's a pretty simple fix once you know what to do... but the discovery process was a bit tougher. Hope this helps.