How to spot bad code in legit looking files in wordpress

My wordpress site has malware and I already deleted the bad looking files. They were easy to spot. But now my host says there could still be malware in the legit looking files. What plugin should I use or what should I do to spot them ? I onviously cannot go through thousands of wordpress files. Is there any shortcuts?