About two hours before the site went down, people started reporting that they were seeing an ActiveX popup on every page of the site. It was in response to this that the site was brought down. (I would have done it earlier, but I was out when it was reported and didn't get back until later. Brought the site down as quickly as I could when I got back).
Removing the script was easy; most of the downtime was spent investigating how it had happened, and investigating what could be done to stop it happening again. I'm confident that the measures I've put in place have closed the hole for the time being. (There's still plenty more stuff to shore up, but I can work on it without the site being down).
Unlike the attacks last year, I am confident that there was no attempt made to access the site database. Hence, we are not asking you to reset your passwords. I don't think this attacker was even trying to get that kind of data; rather, they were looking to infect machines with what was most likely a botnet program.
If you were unlucky enough to browse the site in the couple of hours before it went down, using Internet Explorer, and you accepted the ActiveX download, and your antivirus software didn't stop you, then you need to run a malware sweep of your computer immediately. I'm extremely sorry that you have to do this, and hope we never cause you to have to do it again.
On the bright side. While the webserver was down, I took the opportunity to mess with the indexes on the database server. Browsing the forums should, I hope, now be a bit faster.
Jack