First, please remember that others can SPAM the world using your e-mail address as their Reply To: address, i.e., without accessing your server.
Since you've discovered that an attack had taken place, you have been hacked.
First, replace all your passwords with those you can create using http://strongpasswordgenerator.com - and make them STRONG! Don't forget ALL passwords, i.e., cPanel, e-mail, FTP and Telnet (if enabled). Eliminate all the entry points you don't need.
Have your host run and RErun maldet scans until there is no problem found then have them run by CRON on a regular basis. Maldet is a freeware app that admins won't let others setup and run but they will set it up for you if you ask (at least they do on WebHostingBuzz ... and WebHostingZoom before them).
If you're paranoid (and I am!), you can also generate a script which will compare and store hashed valued for your scripts (.php, .html and .js in particular) on a daily basis and CRON that, too!
You can never be too paranoid! "They" may not be out to get you but you may fall as an innocent victim of some hacker "just because he can."