Yesterday people started telling me the site had been flagged by Google for hosting malware, and we found it. It appears to be a database thing not actually related to Drupal since another site on the server running Wordpress got hit at the same time, and it only places the bad code in the files intermittently—so when it was gone yesterday I thought it was gone for good. If you actually get infected it will be very obvious. Instructions on how to remove "System Tool" are all over the google, but usually the best course of action is to do a system restore.
I'm going to be monitoring this closely the rest of the day, but my body has its own malware—zing!—and I feel miserable so other than watching for iframes like a hawk I am taking a sick day.
A thousand apologies for any trouble this caused people.