I have a few sites sharing the same database and since this particular site was launched in November the database gets hammered with what appears to be brute force attacks (massive throughput and up to 8000 selects a seconds as apposed to 10 when this site is not running). I have secured the login points and am confident its not coming from this or any form on the site. I did find injected malware script early on which I deleted and that appeared to stop it for a while but it came back within a week. It seems to happen at specific times (Mondays, Fridays, 1st of month) so is scheduled but its at the point now where no mount of apache restarts or DB reboots will stop it so I have been forced to put the site into maintenance mode. Hope this gives a clearer picture.
Umm, I see. If the malware scanner is not detecting encoded content then maybe you should look for "select" or other Mysql patterns in the files. In a Linux environment you can do that with the "grep" command.
Also you could try analyzing the entire filesystem with a server antivirus; does you hosting provider have one?
And the last step could be identify which file is launching the queries; at this point you will need the help of your hosting provider. Explain them the situation so they can take actions to identify the file.