How can I remove the Review step in Onepage checkout?

For one you need to rewrite Mage_Checkout_Block_Onepage::_getStepCodes():

 /**
 * Get checkout steps codes
 *
 * @return array
 */
protected function _getStepCodes()
{
    /**
     * Originally these were 'login', 'billing', 'shipping', 'shipping_method', 'payment', 'review'
     *
     * Stripping steps here has an influence on the entire checkout. There are more instances of the above list
     * among which the opcheckout.js file. Changing only this method seems to do the trick though.
     */
    if ($this->getQuote()->isVirtual()) {
        return array('login', 'billing', 'payment');
    }
    return array('login', 'billing', 'shipping', 'shipping_method', 'payment');
}

Then there is the part where you want to save your order after the payment step through an event observer:

/**
 * THIS METHOD IMMEDIATELY FORWARDS TO THE SAVE ORDER ACTION AFTER THE PAYMENT METHOD ACTION
 *
 * Save the order after having saved the payment method
 *
 * @event controller_action_postdispatch_checkout_onepage_savePayment
 *
 * @param $observer Varien_Event_Observer
 */
public function saveOrder($observer)
{
    /** @var $controllerAction Mage_Checkout_OnepageController */
    $controllerAction = $observer->getEvent()->getControllerAction();
    /** @var $response Mage_Core_Controller_Response_Http */
    $response = $controllerAction->getResponse();

    /**
     * jsonDecode is used because the response of the XHR calls of onepage checkout is always formatted as a json
     * string. jesonEncode is used after the response is manipulated.
     */
    $paymentResponse = Mage::helper('core')->jsonDecode($response->getBody());
    if (!isset($paymentResponse['error']) || !$paymentResponse['error']) {
        /**
         * If there were no payment errors, immediately forward to saving the order as if the user had confirmed it
         * on the review page.
         */
        $controllerAction->getRequest()->setParam('form_key', Mage::getSingleton('core/session')->getFormKey());

        /**
         * Implicitly agree with the terms and conditions by confirming the order
         */
        $controllerAction->getRequest()->setPost('agreement', array_flip(Mage::helper('checkout')->getRequiredAgreementIds()));

        $controllerAction->saveOrderAction();
        /**
         * jsonDecode is used because the response of the XHR calls of onepage checkout is always formatted as a json
         * string. jesonEncode is used after the response is manipulated.
         *
         * $response has here become the response of the saveOrderAction()
         */
        $orderResponse = Mage::helper('core')->jsonDecode($response->getBody());
        if ($orderResponse['error'] === false && $orderResponse['success'] === true) {
            /**
             * Check for redirects here. If there are redirects than a module such as Adyen wants to redirect to a
             * payment page instead of the success page after saving the order.
             */
            if (!isset($orderResponse['redirect']) || !$orderResponse['redirect']) {
                $orderResponse['redirect'] = Mage::getUrl('*/*/success');
            }
            $controllerAction->getResponse()->setBody(Mage::helper('core')->jsonEncode($orderResponse));
        }
    }
}

The above observer method implicitly agrees with the terms and conditions. This is illegal in some countries and you might want to display the terms and pass the agree post fields on the payment method page.

Also you might want to have a look at opcheckout.js to make shure people cannot post the order form twice etc...

This is just to point you in the right direction. It is not a complete solution because the exact implementation depends on your customer's wishes of course and I don't want to rob you of the fun of finding out the details of the solution yourself. But of you get stuck totally, please let us know.