How do I find a maliscious script?

Greetings,
I could not find a general discussion thread in the forum as I had hoped. I need a bit of help from someone more experienced. As I told you we had our server attacked and our sites were hacked and compromised. We rebuild the server and made new clean installs. Before we entered any data (importing our wordpress DB’s) we protected every new site with incapsulate allowing only US and Canada Traffic and placed a code into the .htaccess file to prevent any site coming through a proxy from getting to the websites.
We now put all the sites up on the newly rebuilt server. the CPU went to 80-90% and we noted the email to run at 65-70%.
I suspended all of my accounts and immediately the mail server went back to 0% and the CPU to 2.9%.
Next I activated one domain after the other, very slowly and 36 out of 42 sites increased the CPU usage to very high levels and engaged the mail server to between 33 and 65%.
6 sites are running fine with no Mail server usage and at this time all six are stable with a total CPU load of less than 5% even when visitors are on site.
I am fairly positive that whoever attacked the server and my website injected a script somewhere. I simply do not have the knowledge to root this evil out. Is there a plugin or a script that I could run, on or off line to find the culprit and remove it from my sites?
What forums should I post this question on?
If you have an idea on how to help me thank you, and if not, thank you anyways.
Oh, BTW, I did test all of my plugins, even when I disabled every single plugin the behavior of the server did not change.

Regards
Michael G. Schurmann

[email address removed]