You can go with the Pro Plan to cover what you need for these sites. This server is in Eastern Canada which should be fine but I do have other server in the US if you would prefer that.
I’ll give credentials to the server once you sign up. I can also help you move the sites over when you are ready. From here on you should email me directly either by replying directly to the email notification of this post or by emailing:
support [AT] supersecurehosting.com
I don’t have any firm limits but I would need to make sure that I put your sites on a server that can handle your needs. These are not VPSs, what I offer is fully managed hosting on a modified CentOS kernel using cagefs to chroot each site into it’s own virtual filesystem, so no hacks can find their way from one site any other site on my servers. The server I have in mind for you would be a quad core with 32Gigs of RAM and 2 480 raided SSDs. I have a website for you to sign up for hosting services but I don’t promote it or offer much info on the site. My focus is on security and stability and so I only offer this my hosting to people who I feel really need it.
https://supersecurehosting.com/signup/
If you scan the public_html directory on the main site then it will probably scan all the sub-sites, it just depends on how your sites are structured on the filesystem.
The most important thing is to get all you sites clean at the same time. If you scan all your sites, and remove all the malware, and then scan all your sites again, and they are all fine for a little while, then the problem may not be coming from any of your sites. This malware could be spreading from a site on another account on that server. In that case you should probably move all your sites to a move secure server where they will not be exposed to cross-site contamination from other users.
I do offer Super Secure Hosting for $12/month per site. I could host all 4 sites for $44/month and they would never get hacked again. Let me know if you are interested and I can help you move your sites over to one of my Super Secure servers.
So there must be some other threats on the server that are re-writing these files. Have you run the Complete Scan on the site’s root directory?
Do you have any other sites on that server that might also be infected?
Can you send me a screenshot of the results from the Complete Scan right after you have cleaned these infections?
I have added this threat to my definition updates so that it can now be automatically removed.
With the kinds of trouble that you have had with the scan not completing and now the read errors, I would guess that the memory_limit in your php.ini file is set too low. Ask you hosting provider if you need help finding or changing the memory_limit on your server.
You also need to find the error_log files on your server. Those will tell you a log about the cause of these problems.
There must be something malicious remaining on the server that is rewriting that infection. You need to be able to run the Complete Scan.
Can you open the error Console in your browser’s Inspector and send me a screenshot of the Complete Scan when it gets stuck?
You can also check the error_log files on the server to see if there is anything that might indicate why the complete scan is not able to complete.
What site is this error on?
That issue is with your site’s configuration on the server not specifically with my plugin. First you need to fix the bug that is causing this error, then you can try the complete scan again.
Can you send me the error_log file so that I can try to help you pin down the root cause of this issue?
Thanks for posting this info but I think I just got this issue resolved. Another user had the exact same problem and they sent me access to that file so that I could see what went wrong. I have already just now released a new definition update that fixes this issue so that the whole threat will be removed from your wp-config.php file in future scans. Please update the definitions and let me know if you have any more problems with removing this threat.
This could be a permission issue, or script timeout, or even a memory_limit. The only way to be sure is to check you error_log files when after you get these errors to see what PHP logs as the cause of the issue.
Try adding the word cache to the list of directories to be skipped and see if it will complete the scan then.
You could also check the error_log files on your server to see if it will tell you why it was unable to scan that directory.
When the files are cleaned the malicious content is removed from the file but the file is not deleted, and a backup copy of the infected file (prior to the cleaning) is saved as a custom post type in your database for your review or further study. The backup records can be viewed and deleted from the Quarantine page and you can purge them from the database when you are done cleaning up the site and are sure that you will have no further need of these records.
Thanks for sending me this new variant. I have added this version to my definition updates. Please download the latest definition update and let me know if it still doesn’t get them all 
Thanks for the follow-up and for sending me those files to look at
I verified that none of those files contain any malicious code and specifically that all the code in the failes that were found by that other plugin are False Positives.
I don’t know much about that Shield Security plugin, and I cannot say for sure if any of these are real threats or just false positives, but it looks to me like these files have been flagged by that other plugin for string matches that could could easily have reasonable explanations and benign uses.
If you would like to email these files directly to me then I would be willing to confirm for you that they are clean.
