I am helping a friend fix her website. it appears someone was able to create an admin account in wordpress and upload bad stuff to her website. The most important things to do are to have your site updated to the latest release, http://wordpress.org/download/ and to be careful of plugins, and only have the themes installed that you are actually using. it appears that themes that are installed but not activated can also be used to make a mess.
here are some links to help those of you that may fall into the same problem