If you upgraded, turned off HTML, checked every recent post and sigs for scripts, checked the validity of every file on your server, ensured no new admins were added, changed all the admin passwords, and are otherwise sure the server and board itself is not the entry point then the only other likely hole can be your (and your moderator's) computers or the guy's really smart and is packet sniffing everything going to your server (unlikely.)
Check the computers for trojans and backdoors with a recently updated anti-virus program AND an anti-trojan program.
Pandasoftware.com has a pretty good online anti-virus and it's free and also provides a free removal tool for the most common viri and trojans.
Simply Super Software offers a good anti-trojan program and offers a free 30 day trial.
All said, I'm willing to bet there are still some scripts on your community or residing on your server as graphic files.