httpwebwitch - 7:27 am on Aug 27, 2010 (gmt 0)
Firstly, this is probably not your ISP/host's fault. Wordpress has a pretty lousy reputation for security. Sad but true. :(
I dealt with a WP hack a while ago, same deal. Google noticed it and blocked the site. Perhaps it's my own fault for not keeping up with upgrades - my installation of WP was several years old.
step one: shut the site down. Drop a simple index.html in the root with an apologetic message, and add a TEMPORARY redirect (307) in the .htaccess sending all traffic to that page.
Back up the database, and the WP theme you're using. Then erase everything.
Take a moment to peruse the database, make sure nothing in there has been compromised.
Install a brand new WP using the latest codebase from a fresh download. Restore the theme, and hook it back up to your database.
Now go through all the theme files - there aren't very many - and look them over top to bottom. Remove anything that you didn't create.
Do you use plugins? Get fresh versions of those too. Sorry if you customized any of them. They can't be trusted any more. Do you have a backup?
When my client's site was hacked, I also found malware in the footer - it's a handy place to expose the virus to your users because it's included on every page. But you can't stop there. It's likely that other files were compromised in less obvious ways. I found traces of the malware in at least 4 scripts before I decided to wipe it out and start with a fresh WP install.
While you're at it, change your root passwords.