I have gone through many different routes to look for the injected code within the site itself. Because it effects almost all the wordpress installs on my server, I am thinking it is at the root level somewhere at Bluehost. Still interested if anyone else has seen this.
Thanks
Just put the index.php and .htaccess back into the blog folder, and had the same issue. Not related to the having the homepage outside the wordpress folder.
