Hello and welcome to malwaretips.com,
1.Did you asked the Security team of the hosting company to run a scan of site?
2.Usually when malware in injected into a site, is commonly the result of a compromised password due to a virus-infected PC.
Most likely a users password was stolen via a password scraper or keylogger that resides on their local PC or network. So no matter how many changes we make to the password as soon as they type it into FTP or Cpanel its immediately sent off to this script that then injects the files.
Trojan Zeus/Zbot is the most common vector of attack, so I strongly suggest that your client and all those who have a FTP accounts to scan their computer for malware with the following tools:
Malwarebytes Anti-Malware : http://www.malwarebytes.org/products/malwarebytes_free/
HitmanPro : http://www.surfright.nl/en/hitmanpro/
Emsisoft Emergency Kit : http://www.emsisoft.com/en/software/eek/
If you suspect that your computer or your client is infected, then we can run additional scans.
3.Change the passwords for all users and all accounts (for example, FTP access, administrator account, content management system authoring accounts).Do not use old passwords, generate new ones.
Check your users: It's possible that the hacker created one or more new accounts
4.What's the URL of the site,can you disclose it , so I can take a look at the source code of the site?
5.Run a scan of the website with the following tools:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://siteinspector.comodo.com/
