@songdogtech thanks and I agree. Thats why I recommended this as a starting point
I noticed that a lot of you are just simply removing the malicious script in header.php. I would highly recommend you search through all your php files in wp-admin, wp-includes, wp-content and uploads (pretty much all your files). I had found two malicious ones in two different folders.
@carlanne from my experience, your solution will only temporarily work, the injected script will just return. I am just sharing my experience and telling you that I have found malicious files on two different occasions in the folders I listed above.