I had a site hacked last summer, and had a serious bad time since no matter how many times I removed the detected files, they'd pop back up. I tried several plugins including Website Defender, Wordfence, and Bulletproof Security. Wordfence scans were the absolute best at detecting the malicious files as soon as they appeared. That's the good news. The bad news is that it took another plugin (Exploit Scanner) to help me find the files that were responsible for the upload of the attack. I strongly recommend the two together based on my experience.
Oh, and another thing... Just got an email from the WordPress people today (9/24/2014) about the bash exploit. I managed to check up on the exploit and had my CentOS Linux VPS updated with yum in about 5 minutes after getting that email. Thank you Wordfence!