WordPress Site Hacked – need some advice!

Hi everyone,

First post for me, although I’ve been dabbling with wordpress for years. Usually by reading and searching the forum I am able to find the answers I’m looking for but Im afraid I’m in a bit over my head.

http://www.massive-media.ca

This is the domain and I will do my best to explain whats going on.
The exploit seems to be smarter than other ones I’ve fixed as sites like Securi aren’t picking up any issues. I would not have even discovered it had it not been for the broken slider on the homepage.

Aside: I’m assuming the exploit is the reason for the broken slider, but wouldn’t be surprised if it was something else? Either way, thank you for being broken or there is no way I would have found this.

Adding another layer of tricky to the mix, if you have visited the site before, the code does not populate but upon deleted domain cookies, will be the first element within the body tag. It doesn’t appear to be malicious at all, just hidden text with a boatload of backlinks to random paydayloan/streaming tv/etc type sites.

I am thoroughly fascinated by netsec but have little experience so would like to do as much of this as I can. In terms of what I’ve read and done so far:

http://wordpress.org/support/topic/hackedmalware-need-help-please
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

My issue seems to be very similar to the above link which led me to the other 4 posts. I’ve pulled all the files out through FTP and am about to backup the DB. I’ve combed through some of the files looking for a variety of things, but with lack of experience am unaware of what exactly to look for.

A question that I should know, but for some reason do not – is if I wipe the DB and FTP to have a fresh start, although the content throughout the site will be the same – how will this affect PR and SEO?

What I’ve done so far:
Changed passwords for DB, WP panel, ftp.
Scanned personal comp
contacted host (godaddy) pending reply
changed secret keys
looked at htaccess but not sure what to look for.
backed up through ftp and soon DB.

Out of my desire to learn, I have a few questions:

The bad stuff only seems to be in one spot. <div class="theheader_e"><p>Bad code is in here, like 300-500 words atleast</p></div>
Call me naive, but this is where my questions start.

1) I’ve been scouring a ton of files for the above code, whether its the long string inside the paragraph, php that would pull it in server side or even the css file thats giving the snippet its rules.
Question: IS looking for this a waste of time due to the possibility of everything pulled server side by a harmless looking script?

2) The CSS class attached to the bad code is “theheader_e”, when using firebug it tells me that the source file is Massive Media #2, which makes no bloody sense to me??

3) In summary, in a situation where re-installing etc is the worst case scenario – Where do you start and what am I looking for within the FTP & DB?

a) A malicious file?
b) a string within an existing file?
c) so broad its not even worth trying to answer, learn more while stumbling through endless problems and learn with time

Am I asking the right kinds of questions?

Thanks for reading this much! MY head hurts…

Let me know if you need further clarification.