Hi Adam,
Thanks so much! The site was reinfected again this morning in two places (a php file and wp-config.php as usual) but the malware hadn’t gotten around yet to implementing its full redirect to payday loan sites so client site still looked normal. I followed your suggestions with the high-sensitivity scan settings which include “scan images, binary and other files as if they were executable” and “scan files outside your WordPress installation”. With these settings, Wordfence found an additional bad .ico file here: wp-content/plugins/wp-db-backup/favicon_e612b8.ico which I am guessing was the source of the reinfection.
Thanks for the help, much appreciated.
