Hidden iFrame and Malware warning

A friend’s (decidely not upgraded) WordPress site has an iFrame insertion added which causes the dreaded “This site may harm your computer.” warning from Google, Firefox etc…

The diagnostic page lists:
Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-28, and the last time suspicious content was found on this site was on 2009-05-28.

Malicious software includes 2 exploit(s), 1 trojan(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including …

I’ve searched through all the WordPress files, the database, etc. and can’t see where the code is being injected from.

Blacklist Doctor list the index page and one of the category pages as having the code on it, but like I said, I can’t for the life of me find where it is…

I know there are similar posts to this in the forums – many of them saying to remove the iFrame code, but I can’t seem to find a resolution.