Hi, the malware generates 2 php files, these are located in the folder wp-includes, the files are wp-feed.php and wp-vcd.php the latter contains the scripts, before deleting these files you must delete the code that generates, it is stored in the functions.php of your theme, usually from line 184, look for the label that says something like // send_wp_theme_tmp?>
From that line to the beginning you must erase, and save changes, that will help you!
PS: remember to create a backup of your site and the files that you are going to modify.
Greetings.
