I had a similar problem. I had a habit of not checking for updates for open source scripts. SMF and Joomla were hacked and also I believe my Wordpress was hacked last year. In one case, the main index.php file had a small piece of code added at the bottom which tested the visitor's browser and if Internet Explorer was used, it added an iframe to a site containing a trojan. I usually used Firefox or Opera, so I never saw it. One day I decided to test the site using IE7 and my antivirus alerted me to the malicious code.
What should be done is for all user files be deleted and replaced with backups that are known to be uninfected. If there was an existing vulnerability that the hacker exploited it may be exploited again. These hackers like to put in backdoors so if the malicious code is found and removed, they can regain access to the site. A fresh installation of all files is best.