Turns out this was not an uncommon problem with OpenX. For the past year attackers have routinely exploited vulnerabilities in OpenX to serve up 'malvertising' to unsuspecting users. To its credit, OpenX has patched these holes as quickly as it finds them. Unfortunately, we didn't know about these vulnerabilities, and we had not patched our software. We simply set up OpenX to rotate some banners and forgot about it. That was a mistake.
Getting rid of the malware was as easy as getting rid of OpenX. (Hasta la vista, baby. Don't let the virtual screen door hit you on the way out.)
A bigger problem? Getting our site off of Google's blacklist. Even after we'd gotten rid of the malicious code, visitors to our site were still seeing those scary red screens telling the world we were bad bad webmasters who must be shunned. And this was happening on a day that the Google gods had been smiling down upon us, sending us lots of traffic.
It's like getting that cute guy or girl down the hall to finally notice you, on the day you've got a big juicy canker sore on your lip.
In a word, oy. But it gets worse.
My personal site, dantynan.com, was also red flagged. Why? Because I'd installed a widget that served up a scrolling list of headlines from eSarcasm. This meant any other site that had installed that same widget (a few hundred at last count) would also display the Red Screen of Death. This was very bad.
Fortunately, StopBadware has a simple process for reviewing sites that have cleaned up the nasty bits from a hack attack. We submitted our site and waited.