On a more practical basis, you will want to validate that the pop-up form is indeed malicious in which case ideally you're going to want to:
Review admin users, delete any no longer needed and change passwords of all other users.
Review users that have access to server and do the same thing.
Identify the compromise and remove, this could be some malicious code on the server, or in the database (through something like the miscellaneous scripts section of system configuration). A developer will be needed here though if you're lucky magereport.com might help confirm that you're compromised as they detect some common attacks.
Create a fresh new server with new credentials.
Redeploy from version control to new server
Copy across cleaned database to new server
Relaunch/Migrate site on new server with new protections.
---- If you've found one of my answers useful, please give "Kudos" or "Accept as Solution" as appropriate. Thanks!