The first time you run the script (with the default settings), it shows you the snippets it thinks might be suspicious, and in what files it found them. You need to use your own judgment about the text that is displayed (combined with your knowledge of what text your pages normally contain) to decide whether each snippet actually is malicious or not.
For each snippet that actually is malicious, open each file in a text editor and remove the code that the hacker put there. Use "code view" (HTML) to do that. Don't use a WYSIWYG editor.
There are some other things that are worth searching for in your files. They aren't included in the script's default settings because the things to search for are different for every site:
In the page at http://25yearsofprogramming.com/blog/2009/20091124.htm
are instructions for how to get the Google Safe Browsing Diagnostic Report for your website. If your site is flagged there for malware and the report mentions malicious domains (websites) or IP addresses, create some new regular expression entries in the lookforbadguys script (in the $SuspiciousSnippets array) so the script can search your site for references to those domains or IP addresses.
Then, even if your site is not flagged for malware, you can go to http://www.unmaskparasites.com/
and get a report of the websites from which your pages get external content. If any of those are suspicious (that is, you don't think your website should be pulling content from those sites, so the hacker probably put those references there), add regular expression entries in the $SuspiciousSnippets array for those, too, so the script can search for them, as well.
That's basically it. The lookforbadguys script helps you find text that shouldn't be in your files, but it can't know for sure exactly what is suspicious and what's not. For you to make that decision, it usually requires you to examine the snippet and think about it.