Wipe and Load
I haven't used Wordpress that much, but if I'm not mistaken it is possible to do a Wordpress backup (posts, comments) etc., bomb the WordPress directory, reinstall WordPress, theme and plugins and restore from backup. Seems like this would be safer than manually looking through files in an attempt to discover malicious code etc. It doesn't take that long to reinstall everything.
Perhaps I'm missing something though; if anyone knows any better I'd be interested in hearing.