If you're comfortable in Unix, I've found it useful do download a fresh copy of wordpress then use the "diff" command to point out what's been modified by hackers.
(in ubuntu)
sudo mkdir .tmp
cd .tmp
sudo wget http://wordpress.org/latest.tar.gz –no-check-certificate
sudo tar -xzvf latest.tar.gz
sudo diff -qr /var/www/webz/.tmp/wordpress /var/www/webz/wordpress |grep differ
Another clean up tactic is to delete all files in your wordpress install except for .htaccess, wp-config.php, and the /wp-content/ folder. Then copy the contents of freshly downloaded wordpress install back into the file system. You still have to find modified files in uploads and plugins but here are a few things that can help.
Deletes all .php files in the uploads directory.sudo find ./wp-content/uploads -type f -name "*.php" -delete
sudo grep -lr 'php $GLOBALS' .
sudo grep -ril --include=*.php ^\'[0-9A-Za-z]*\=\'\;$ .
Will help you hunt down base64 encoded content more often than not left by hackers.