I don't understand what's going on here.
I've just downloaded a copy of WP-SpamFree and, as far as I can tell, it looks fine. Could you open /wp-content/plugins/wp-spamfree/js/wpsf-js.php (download it from your server via FTP) and confirm it starts like this?
PHP Code:
<?php
$root = dirname(dirname(dirname(dirname(dirname(__FILE__)))));
if (file_exists($root.'/wp-load.php')) {
// WP 2.6
include_once($root.'/wp-load.php');
} else {
// Before 2.6
include_once($root.'/wp-config.php');
}
$wpSpamFreeVer = get_option('wp_spamfree_version');
$spamfree_options = get_option('spamfree_options');
$CookieValidationName = $spamfree_options['cookie_validation_name'];
$CookieValidationKey = $spamfree_options['cookie_validation_key'];
update_option( 'ak_count_pre', get_option('akismet_spam_count') );
@setcookie( $CookieValidationName, $CookieValidationKey, 0, '/' );
header('Cache-Control: no-cache');
header('Pragma: no-cache');
header('Content-Type: application/x-javascript');
echo "
// WP-SpamFree ".$wpSpamFreeVer." JS Code :: BEGIN
// Cookie Handler :: BEGIN
For the source file to be consistent with the output I'm seeing, I would expect the last few lines to be
PHP Code:
header('Cache-Control: no-cache');
header('Pragma: no-cache');
header('Content-Type: application/x-javascript');
echo "
<div style="display:none"><!--741755589-->The <b><a href="xxxxxxxxxx [big long line of spammy text and links, or at least some code between the echo just above and the next line]
// WP-SpamFree ".$wpSpamFreeVer." JS Code :: BEGIN
// Cookie Handler :: BEGIN
If your copy is actually fine (i.e. without the spammy HTML line) then it looks like something is injecting the code into that file at runtime. Somehow.
I assume that you don't get an error when WP-SpamFree is disabled. Or if you do, is the error in a different file? Do you still get the error with just WP-SpamFree enabled?