Thank you Ray. Do I delete all the CMS files from the server and then upload all the new ones? Will I have any problems because all the tables are already setup in the databases?
After I do all this updating, can I then upgrade PHP on my server? The guy at GoDaddy said the hack could have happened because I'm not using the latest version. All my sites are made with PHP pages, not just those with CMS.
I think I got everything deleted that shouldn't be on server for all 50+ websites yesterday but I didn't look in CMS folder. I just looked there now. Sure enough - file called haxor.php. I've only checked a few sites so far but I only found that file in one and that was the same site that was hacked 5 years ago. You helped me fix that at the time.