On this blog too.

http://www.nelsonguirado.com/index.php/music/

Delete all your B2 files and upload a fresh set and see if that makes a difference.
I would check the JS content of your site for any scripts that are not default B2 or ones that you have added yourself.

OK. I'll try that. I don't feel like going line for line.

Why do you think it's only on a couple of blogs?

I looked at the source of the offending page and got (you can see where the trouble starts after "<body><div style="position:absolute;left:-74402px;top:":

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<base href="http://www.nelsonguirado.com/skins/evocamp/" />
<script type="text/javascript" src="/plugins/am_audio_player_plugin/audio-player.js"></script>
<style type="text/css" media="screen">
<!--
/* Visiglphs Plugin styles */
.vg1, .vg2, .vg3, .vg4, .vg5 {margin:0;padding:.1em;}
.vg1 {width:1.1em;height:1.1em;}
.vg2 {width:2.7em;height:2.7em;}
.vg3 {width:4.3em;height:4.3em;}
.vg4 {width:5.9em;height:5.9em;}
.vg5 {width:7.5em;height:7.5em;}
-->
</style>
<title>Asymmetric Music</title>
<meta name="description" content="Asymmetric take on rock, soul, and classical." />

<meta name="keywords" content="rock, modern rock, soul, r&amp;b, conservative music, christian music, fun music, decent music" />
<meta name="generator" content="b2evolution 2.4.5" /> <!-- Please leave this for stats -->
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="http://www.nelsonguirado.com/index.php/music/?tempskin=_rss2" />
<link rel="alternate" type="application/atom+xml" title="Atom" href="http://www.nelsonguirado.com/index.php/music/?tempskin=_atom" />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.nelsonguirado.com/xmlsrv/rsd.php?blog=30" />
<meta name="viewport" content="width = 750" />
<link rel="stylesheet" href="style.css" type="text/css" />
<script type="text/javascript" src="http://www.nelsonguirado.com/rsc/js/functions.js"></script>

<script type="text/javascript" src="http://www.nelsonguirado.com/rsc/js/rollovers.js"></script>
</head>

<body><div style="position:absolute;left:-74402px;top:-56110px"></div><!--823697339--><h1>extended hotel stay chicago</h1> After signing up for <a href="http://iccec-europe.org/gallery/?info=214" title="stay chicago hotel extended">stay chicago hotel extended</a> service, it's easy to get started with adding your first trip. SWF loading //

So, just delete it and see how you go.

I copied the files over my installation and it didn't work. Also, I was hoping somebody would know how they hacked me so I could avoid it another time.

The same problem http://forums.b2evolution.net/viewtopic.php?t=17247

Check the file index.main.php in skin folders and delete "bad" <div> tag

Can you post the code from your /skins/_html_header.inc.php && skins/_body_header.inc.php ?

Alternatively could you pm me an ftp / pma login?

¥

/skins/_html_header.inc.php

<?php
/**
* This is the HTML header include template.
*
* For a quick explanation of b2evo 2.0 skins, please start here:
* {@link http://manual.b2evolution.net/Skins_2.0}
*
* This is meant to be included in a page template.
* Note: This is also included in the popup: do not include site navigation!
*
* @package evoskins
*/
if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' );

global $xmlsrv_url;

require_js( 'functions.js' );
require_js( 'rollovers.js' );

skin_content_header(); // Sets charset!
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php locale_lang() ?>" lang="<?php locale_lang() ?>">
<head>
<?php skin_content_meta(); /* Charset for static pages */ ?>
<?php skin_base_tag(); /* Base URL for this skin. You need this to fix relative links! */ ?>
<?php $Plugins->trigger_event( 'SkinBeginHtmlHead' ); ?>
<title><?php
// ------------------------- TITLE FOR THE CURRENT REQUEST -------------------------
request_title( array(
'auto_pilot' => 'seo_title',
) );
// ------------------------------ END OF REQUEST TITLE -----------------------------
?></title>
<meta name="description" content="<?php $Blog->disp( 'shortdesc', 'htmlattr' ); ?>" />
<meta name="keywords" content="<?php $Blog->disp( 'keywords', 'htmlattr' ); ?>" />
<?php robots_tag(); ?>
<meta name="generator" content="b2evolution <?php app_version(); ?>" /> <!-- Please leave this for stats -->
<link rel="alternate" type="application/rss+xml" title="RSS 2.0" href="<?php $Blog->disp( 'rss2_url', 'raw' ) ?>" />
<link rel="alternate" type="application/atom+xml" title="Atom" href="<?php $Blog->disp( 'atom_url', 'raw' ) ?>" />
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="<?php echo $xmlsrv_url; ?>rsd.php?blog=<?php echo $Blog->ID; ?>" />
<meta name="viewport" content="width = 750" />
<link rel="stylesheet" href="style.css" type="text/css" />
<?php include_headlines() /* Add javascript and css files included by plugins and skin */ ?>
<?php
$Blog->disp( 'blog_css', 'raw');
$Blog->disp( 'user_css', 'raw');
?>
</head>

<body>

<?php
// ---------------------------- TOOLBAR INCLUDED HERE ----------------------------
require $skins_path.'_toolbar.inc.php';
// ------------------------------- END OF TOOLBAR --------------------------------

echo "\n";
if( is_logged_in() )
{
echo '<div id="skin_wrapper" class="skin_wrapper_loggedin">';
}
else
{
echo '<div id="skin_wrapper" class="skin_wrapper_anonymous">';
}
echo "\n";
?>
<!-- Start of skin_wrapper -->

skins/_body_header.inc.php

<?php
/**
* This is the BODY header include template.
*
* For a quick explanation of b2evo 2.0 skins, please start here:
* {@link http://manual.b2evolution.net/Skins_2.0}
*
* This is meant to be included in a page template.
*
* @package evoskins
*/
if( !defined('EVO_MAIN_INIT') ) die( 'Please, do not access this page directly.' );

// By default, this does nothing. It's just here as a placeholder.

?>

Did you check the index.main.php file ?

OK. I changed everything. I'm willing to pay somebody to fix this thing.

The number 823697339 seems to be the signature of this virus (Google it). The negative position (the numbers) is large but more or less random, the (spam)link is random. Try a filesearch on that number and start with the skinfiles. The index.php file is the common place of infection. Most likely this is javaScript added. Probably the content of the script looks like garbage.
Change the password for your cPanel and FTP. According to whoo blogs can be infected by people that have access to it
Unfortunately I can't find information on this specific virus.

Good luck

Read here for answers :) http://forums.b2evolution.net//viewtopic.php?t=17247

Apart from the fact that it was PHP and not javaScript I was close ;)
Wel done sam2kb
Nelsonguirado, do you have the FCKEditor plugin installed on the blog?

Thanks guys. You saved me. Special thanks to Sam2K and Yabba for finding the problem. I wish it would have been before Google banned me, but at least I can try to rebuild.

By the way, it was some rootkit code called "cooper.php" in a barely used folder on my site and then the code to access this file was placed on my php files. The code was on almost every one of my files and was in base 64.

Again, I really appreciate it.

I don't have FCKE editor.

I discovered the exact same hack attack on a very unrelated Simple Machines forum I run.

That means that the perpetrator was almost assuredly not somebody I know, which is great news. It also means, I think, that if you have any php programs, you should check for the issue, especially if you're on Bluehost.