Malware is hidden at the header.php inside the themes directory.

[polonus]

https://www.virustotal.com/nl/url/377752bc1b21031ebfbde215b6352bbbcc334be83ded88b0c8176e175208c0af/analysis/1415469509/
22 potentially suspicious files: http://quttera.com/detailed_report/bloggingmadeeazy.blogspot.ca
Procedure: unescape has been called with a string containing hidden JavaScript code <script>function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script>.
See: http://jsunpack.jeek.org/?report=fb03cdb96c8a15476c636242d47a4e12066e6664

Code: [Select]

//document.write (s)  <script language="javascript">function dF(s){var s1=unescape(s.substr(0,s.length-1)); var t='';for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));document.write(unescape(t));}</script> For security research only, open link with NoScript active and in a VM/sandbox.
 undefined variable dF
     error: undefined function dF -> http://labs.sucuri.net/db/malware/malware-entry-mwjs233

Also read: http://www.securityfocus.com/archive/1/511164
Direct marketing blog -> wXw.generation-blogging.blogsot.com/advertise-with-us

Detected: Object: htxp://bloggingmadeeazy.blogspot.ca/2009
SHA1: 7a16618a1bef52b696d26d3f7ccd005109a5f861
Name: TrojWare.JS.Agent.weq - removal info: http://blog.mitechmate.com/trojware-js-agent-weq/

avast has a lower detection ratio here: http://webcache.googleusercontent.com/search?q=cache:_ZWW3hyPQn4J:support.clean-mx.com/clean-mx/md5.php%3FComodo%3DTrojWare.JS.Agent.weq+&cd=1&hl=nl&ct=clnk&gl=nl  (at the momnt site is again under Ddos attack, therefore the webpage cache is provided)

pol