It was in the source. Injected in the very first line of the page before the w3 tag. I checked the index files and the code was not there. It seems that it was being placed by the routine that constructs the actual viewable page. I thought about the piece of code being stored in a table of one of the databases but I couldnt find it doing searches on the databases so it probably was getting injected by a routine call within the index file or any other file called by the index. I am a trained programmer but I have never coded in php so I couldnt really trace the call. The fact is that I tried everything from updating WP to disabling, erasing and re-=installing the plugins and I couldnt stop it from loading. As soon as I deactivated, erased and re-installed the pandora theme I was able to stop it. That is why I am assuming that the malware piece of code was somehow embedded in one of the pandora's routines. How this happened, I dont really know. Like I said I host my sites in Hostgator as a re-seller with my own server. I host several sites in this server and I use WP in every single one of them, including a test site with networked WP on it, and this was the only site affected, the one with the pandora theme. My plugins in the pandora site are few, Askimet, Hello Dolly which was inactive, the WP import plugging and at one point a while ago I tried several sliders plugins to try to have sliders as widgets on my site but at the end I desisted and ended up deleting those plugs out. This was back in January. Whomever invaded my site did it sometime in May, I believe. The site was working fine up to this week. This is a site that has quite a following and although I have gotten emails from some visitors about being blocked, when I would check I was not seeing anything until this time when I got warned by google, so I discarded the previous complains as the user's own firewalls advising about the content and nothing serious (this site has sex-related discussions). I dont know if these previous complains were early warnings of a site being invaded but again, this week was when for the first time I experienced the google warning myself.