SpoonMedia

Here are some suggestions:
Step 1, install GotMls Anti Malware by ELI
Step 2 Install Wordfence.
Step 3 get access to your ftp or server
Step 4 Get new passwords ready for database (cpanel makes this easy) and you can change it in your wp-config file via ftp, as well as your admin password and ftp pass last once you have cleaned the site
Step 5: Run the antimalware scanner, and fix all automatically that it finds.
Step 6 delete any unnecessary plugins and themes (some might be obvious, some not)
Step7: Run wordfence scanner, and any files tht it says have changed from the repo (default)
restore back to the original

Now here comes the fun bit.
Install plugin:
WP Antivirus Site Protection
Exploit scanner.

The WP antivirus will give you a list of backdoors and malware/exploits and does a good jo at identifying them,. It will not give you all the locations of the files however. Now while you have the results of the first scan run the exploit scanner. This might give you a lot of false positives, but you can cross reference the file locations of the first scanner and delete/clean the files. I find that if you are unsure about deleting them, rename the file in ftp, to filename.old instead of filename.php

Now check all functions in the site and make sure you didnt break anything. Once you are sure look up posts on hardening your wordpress and modifying your.htaccesss. Also change your ftp pass at this point. Document everything (Google docs is helpful for this if you are worried about a local security vulnerability. You can also pay some other services to clean up your site, but these steps should take you about an hour or so.