I would only add that you should then rename your manager, connectors, and assets folders, and move the core directory above the web root as described here.

Thanks for posting that. I think it will help a lot of people.

I would only add that you should then rename your manager, connectors, and assets folders, and move the core directory above the web root as described here.

Do you mind if I make this into a blog post (with credit to you), to make it easier to find?

1. Back up your database.
2. Change the password for the site's database user.
3. Back up your non-MODX files if necessary. I didn't need to in my case. The client doesn't have access to upload anything, so all the site files are on my computer, and in a later step, I just re-uploaded them since I know they're clean. If you don't have copies of all of your site files elsewhere and will need to use the ones on the server, AFTER you make the backup, check all of those directories and delete anything that you know isn't supposed to be there, using Google if you aren't sure. Actually, Googling everything suspicious you find is a good practice so you know better what you're dealing with. You could have multiple infections. (Don't worry, this method will still clean them, as long as they didn't get into your database.) Also take this opportunity to do some cleanup if you find things uploaded that you're no longer using, so you don't end up with outdated, potentially vulnerable code hanging around.
4. Download ./core/config/config.inc.php and rename it to something like config.inc.php_orig.
5. Prepare to do a new, clean install of MODX, the same version you currently have. (Upgrades come later.) Don't install yet, just be prepared. The next step breaks your site, so once it's time to reinstall, having this done will get you back live as quickly as possible. If you're installing via command line, make sure you have the file downloaded and a new db and user created. I went the simple route and used CPanel's Softaculous since it's pretty much a one-click install and it creates the new db and user for you. (Although it also led to my first oops. My site was on v2.7.0 and I didn't notice that it was giving me the shiny, new v2.7.1 that just came out. This led to a bit of weirdness, thankfully easy to fix. (Details below.))
   IMPORTANT: You won't actually be using the new database and its user, but make sure whatever process you use creates ones for the new install and doesn't overwrite the existing ones!
6. Go into the site's manager and uninstall (don't remove) all of your extras, then log out.
   Note: I forgot to do this so I ended up with a broken manager later on, but it was easily fixable by editing the database. (Again, details below.)
7. Rename all of the MODX directories. You can do it via (S)FTP, I did it via command line, so for anyone who wants to copy/paste using the names I used, make sure you're in your site's root directory (./public_html, for me), or the appropriate subdirectory if you don't have MODX installed in root, and:
   # mv ./assets ./assets_old
   # mv ./connectors ./connectors_old
   # mv ./core ./core_old
   # mv ./manager ./manager_old
8. In the site's root directory, back up and then delete config.core.php, ht.access, and index.php. (May be optional for you, but Softaculous complained when it found them there.)
9. Install MODX into the same location as the original install. Check the home page to make sure it brings up the default for a new install, and make sure the manager page loads. This rules out permissions errors if you run into problems later.
10. Download the new ./core/config/config.inc.php and make a backup copy (in case you need to revert and don't want to rely on your editor's undo feature). Modify the database info to match the info from the original version you downloaded earlier, then re-upload the new one. You'll be changing the variables $database_user, $database_password (don't forget to change this to the new one), $dbase, and $database_dsn. Also change $table_prefix and $database_connection_charset if your installation method set them to something else. Your shiny, clean new MODX install will now be connecting to your original site's database.
11. Upload clean copies of your site files into ./assets/, or restore them from ./assets_old if you have to, double-checking again to make sure they're clean.
    IMPORTANT: Do not restore ./assets/components/
12. COPY all of the zip files in ./core_old/packages/ except core.transport.zip to ./core/packages/. Just the zip files, ignore the rest.
13. Log into your site's manager. You may get a blank page. Don't panic! Here's how to troubleshoot:
    
    • If you forgot to uninstall your extras like I did (sigh), it could just be an issue with the manager home page. Try going directly to the package manager page:
      http://www.yoursite.com/manager/?a=workspaces
    • If you can't access that either, you'll need to disable them in the database. I use phpMyAdmin. (NOTE: See my question below, these instructions worked for me, but may not be entirely correct.) Go to the modx_transport_packages table, and update the records, setting disabled to 1. You can do them all at once, or one at a time if you think you know what's causing the problem. If you have UpgradeMODX installed, start with that one, that fixed it for me.
      QUESTION: Is that actually the best method? I know deleting the records entirely would work, but removing them from the package manager list will make reinstalling them a lot more of a pain. Also, after reinstalling my extras, I see that some still have disabled set to 1. But all of them are working. What exactly did changing this field do besides make UpgradeMODX stop crashing my manager?
    • If disabling all of your extras doesn't work, double-check ./core/config/config.inc.php and make sure you correctly updated all of the db values I listed, and, assuming you changed it, that you're using the new password for the db user, not the original.
    In my experience so far, the above should fix any blank manager problems caused by this process. (If anyone finds any others, let me know and I'll update.) Otherwise, there are other things that can cause a blank manager page even on a completely new install. Search the forums for tips, or just wipe the new directories and database and try again, double-checking to make sure you're installing the same version you already have installed. Or if you'd rather try a different method, delete the new directories, undo step 7, re-upload the files you deleted in step 8, update the password in this version of ./core/config/config.inc.php, and you'll have your original site back in less than a minute.
14. So, once in the manager, go to the package manager. It'll show your extras as being installed, even though they aren't. You can try just reinstalling them, but I went ahead and uninstalled them first. Note: I got errors when reinstalling UpgradeMODX, I assume because I was using the v2.7.0 database with v2.7.1. But thankfully it did install and work properly. If you don't already have UpgradeMODX, install it.
15. Using UpgradeMODX, reinstall the MODX version it tells you that you have installed. (After doing this, I again uninstalled and reinstalled UpgradeMODX, this time, with no errors.) You probably only need to do this if you do what I did and install the wrong version of MODX, but it can't hurt.
16. Check your site, it should now be working just like before, minus any malicious intruders. Now upgrade to the most recent MODX version if you're not caught up. (If you're multiple versions behind, follow the instructions and don't upgrade directly to the latest. Do it in stages.)
17. Almost there. Go to the Error Log (Manage->Reports->Error Log) and clear it. Open the manager in a new tab/window, click around for a bit, and refresh to see if you get any errors. Troubleshoot if necessary. Then clear again, click around the front-end of your site, refresh, troubleshoot if necessary. (Unfortunately I can't give any real advice here except to remind you that Google is your friend. Errors/warnings at this point are probably specific to your site. For example, I was getting one because some code in one of my snippets has been deprecated. I'm also getting one related to modMenu, but I need to research that, I don't think that's my fault.)
18. Finally, once you're sure everything is working, back up all the *_old directories and delete them, and delete the dummy db and user created with the fresh install. If you installed via Softaculous, update the installation info with the correct db name and user. Also, I like to delete everything in ./core/cache/ once all the fixing and upgrading is done to make sure nothing weird is left over.

I wonder if your website is still clean?
My site was infected several times now, so looks like I have to clear it more thoroughly now. So I plan to use above steps.
But is is not clear how I recover the contents after we delete the data base in step 8.
Is there maybe a step missing after step 15?