Help Removing Malicious Script From page

I have three pages, accessible only by password, that appear to have a malicious script in them. This script has previously been placed on [login to view URL] pages after the closing body tag and it was easy to remove but this infection seems to be injecting the code after the page is displayed. The pages are classic asp but have no dydmanic data displayed on the page. There is a MSSQL backend that may origianally have been the source of the infection. I need to know a) how the infection incurred b) how to remove it and c) how to prevent it.