Hi guys!
Here is a how-to that may be helpful to prevent of being infected and help you to find and remove malware code if the site is already hacked.
Let's go!

Many of the recent web-pages malicious code injections we are facing — are the result of a virus on PCs that have FTP access to websites. It's likely that your computer/webmaster's pc is infected by malware that steals FTP access info and sends it to remote zombie computers which then inject the victim website's pages with JavaScript or hidden iframes pointing to malicious websites.

In order to fix the issue, you should look through this instruction:

1) Scan your computer capitally both with antivirus
www.freedrweb.com/cureit/?lng=en
and anti-spyware tools
www.malwarebytes.org/mbam.php
www.lavasoft.com/products/ad-awa … rsonal.php
www.safer-networking.org/en/download/index.html

By the way, as long as the your/webmaster's PC is infected, changing the password is no use. The new one gets stolen, too.

2) Once you are sure that your system is clean, you should change all site passwords: cPanel, FTP, databases, email. Change ftp password in Dreamweaver if you are using this software. If you have been using a single password for more than one purpose, take this opportunity to make every password different.

3) Now keep the new passwords secure. Don’t use auto-upload features of your web site editors, Total Commander, File Zilla… Enter passwords every time you upload new content instead.

4) Always keep your computer updated with antivirus software and malware tools, use a firewall (Zone Alarm as example — it will track all outgoing connections attempts, which may belong to trojan horses ) and only use one computer to get ftp access.

5) Check that your file and folder permissions are secure. Many of customers also reported, that malicious infects files located in directories with 777 permissions. Although different sites have different configurations, common permissions for world-accessible folders are 755, meanwhile common permissions for world-accessible files are 644.

6) Inspect each modified files to see pages with modified dates more recent than you last saved the page yourself, if code has been added to it. Malicious changes to your website pages often take the form of invisible iframes or «obfuscated» JavaScript like this for example:
######
script>/**/function vud4(KcE4, MgJ3, oqf7) { var Wlj0; Wlj0=KcE4.split(MgJ3); var Sfq4=Wlj0.join(oqf7); return Sfq4;/**/ } function Udg6(MRGt) { MRGt = vud4(MRGt,"##+##","'"); MRGt = vud4(MRGt,"##|##","\\"); Sfq4=""; zzm5
######
script language=«JavaScript»>e = '0x00' + '3D';str1 = "%86%DE%D5%C8%A2%CF%CE%C5%D6%D9%81%9C%C8%D5%CF%D5%DC%D5%D6%D5%CE%C5%84%DA%D5%DE%DE%D9%D0%9C%;str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
######
7) Inspect new files with obviously suspicious names: Some hacking activity results in files with names like defaced.html or vulnerable.php, etc. Others might have nonsensical names or names consisting of random character strings like dfh758t.php doc3456.pl. Some might be in locations that make them suspicious, like a .php file in your /images folder.

Check your server directories for any new/suspicious/hidden files. Remove anything that should not be there. Please pay special attention to the follwing potential infected files: «backup.php», «thumbs.php», «image.php», «syns.php», that may contain backdoor signature like this:

_______________________________________________________________________________
?php $s=«696620287374726C656E28245F504F53545B6363635D293D3D30297B69662028245F5
04F53545B706173735D213D2731323327297B6563686F20273C68746D6C3E3C626F6479206267636
F6C6F723D23424246464242206F6E6C6F61643D22646F63756D656E742E6D79662E706173732E666
________________________________________________________________________________

8) Upgrade all third party scripts to latest versions. Make a list of all the scripts you use. For each, if you are not using the latest version, upgrade now. view the latest security advisories at Secunia.com.

9) Keep all your other internet-related software such as browsers, viewers, plug-ins, and add-ons up to date with the latest security patches. NOTE! Especially important in 2009 are Adobe Reader (.pdf) and Flash (.swf) plug-ins because vulnerabilities in those are two ways that well known malware infects computers.

10) In order to test your site — download Google Chrome, and if the site is still infected — browser will detect it. If your site was flagged by Google, request a malware review via Webmaster Tools to have the warning removed.