Andrew -
I have going through all of this in the past 2 days:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
http://sitecheck.sucuri.net/scanner/
and now I'm bleeding from my eyes. What I've gleened from most of that is:
1. Update the WP websites.
2. Backup /export the databases.
2. Delete everything in your directory and upload a clean install - I can do that as I have everyone's theme files pre-infection on my computer. I'll just have to eventually pick through the uploads folders.
My host provider also told me exactly where this started (an old WP site with a bad Cherry Framework theme), so that has been completely deleted from this hosting account. And like I said I can totally delete the websites and re-upload a clean install...
But I'm also finding the malware files above my public_html directory. How do I clean all that out when there are directories for 'mail' 'perl' etc?
And what about the databases? I've read through all those materials but like I said I don't understand that. The article you gave me the link to said nothing about the database and having bad files above your public_html directory.
And thank you SO MUCH for taking the time to reply.