Hi I have the same problem. I follow your advice but my site is still reinfected.
/wp-includes/js/codemirror/fxtiqfnh.php this is the path I find in the log.
Yesterday I find another URL that contain a name of plugins and I deleted it, but today same problem./wp-content/plugins/nextend-facebook-connect/includes/csqygqcf.php
Should I remove even the record from ddb as suggested by frankytee?
