Make a backup of the site's files and upload the files to Box.

Using your local backup of the sites files, scan with a virus scanner and move anything the scan finds into a results folder.

GREP through all of the files looking for php, JS, or perl code. Move any files you may find into the results folder.

TAR/ZIP the results folder and add it to Box.

Share the Box folder with the appropriate members of the Office of Information Security.

If your site has been flagged by Google as being malware/suspicious, you will need to verify the site with Google once it's cleaned up.