fivecentnickel.com – I think there’s a good chance they were compromised before they upgraded. So many sites were hijacked the previous time the hackers activated their payload that there was bound to be a second wave.

It’s probably worth double checking even if your site doesn’t exhibit any of the redirect problems. I know I grepped all my installs just in case.