Thanks esmi. I've changed the password in the wp_users DB file for the blog site (which it looks like is where the hacker got in, because he had entered his own email address in the details). I've never done Secret Keys part and would like to do so, but am confused as to which to use.
I clicked on the link for the WordPress key generator on this page http://codex.wordpress.org/FAQ_My_site_was_hacked. I should copy and paste those keys over the ones currently in my wp-config.php file for both my main website and my blog site?