I have been attempting to clean up similar infections. What I can tell you is that I have uncovered plenty of invisible files (names starting with a period, like “.hudut76.php”) that contained malware code that WordFence did not detect in scans. In addition I have seen examples of bad injected code in the WP database, mostly in the wp-options table.
With much of the code either base64 encoded or ASCII code encoded, it has been almost impossible to know exactly how the admin users are getting injected into the database, but I am pretty sure it happens when a real admin accesses the dashboard or otherwise interacts with the site.
Having used multiple tools, and monitored the sites for weeks, I have had to resort to a complete scorched earth policy (archive the site, and delete everything). Then rebuild. Unless you have a known clean backup (which I do not, all my backups also are compromised), it is the only way to be sure.
As an aside, if those admin logins show up, assume that your wp-config.php and your database logins, passwords and keys are no longer secure. Sorry I don’t have better news..
-pm
