What to do?
1. Take site offline, and replace with an "under maintenance" page.
2. Work out how the malware got there. The most recent was via an SQL injection vulnerability (HP(?) produce a useful scanner for these); another was down to an unpatched underlying operating system.
3. If it's an OS hole, plug it.
4. Restore the site and data from a recent, uncorrupted backup.
5. If it's a hole in the site, plug it.
6. Test
7. Put it back live
8. Subscribe to a service that will notify you of changes to the site, and take note of unexpected ones.
Various things not to do:
1. Leave it live while you try to work out how to fix it. It's much easier to get on to Google's list of malware-infested sites than off it.
2. Restore from backup and/or eliminate the malware from the site without diagnosing and fixing the vulnerability in the hope that it won't come back. It will.