Okay, you've now cleared MOST of the problems, but we're not done yet.
Step 5. Inspect the remaining files in your root folder. I'm thinking of specifically wp-config.php, but there are others too. Open each of them in your FTP editor and look for the /* god_mode telltale. Any files you find there with that content are going to have to go, so delete those.
Step 6. You just deleted your wp-config, so your site isn't going to work at all. Good news - WP will recreate it for you. Just load your site in a browser and follow the instructions - get the necessary info from your original setup, or phpMyAdmin etc.
Step 7. Now, log back into your dashboard, and run the Exploit Scanner again. You'll probably find that all your theme files still show infections. The 'basic' themes are there in your freshly downloaded copy of WordPress, but if you're running a different theme you'll have to get a fresh copy of that too. Regardless of which theme you are running, there is one more thing you can do (which I unfortunately forgot when I just did mine - oops...). Download and save a copy of your style.css file, THEN delete the theme, and replace it with your fresh copy. Make sure you do it like that - delete the WHOLE theme folder, because our pal the hacker might well have uploaded additional files which wouldn't be overwritten, and then upload a whole brand new copy of the theme. Then you can open your style.css file and check it for anything odd, and if you don't find anything then replace the default style file on the server with it.
Step 8. Any OTHER themes that you have on your site but that you're not actually using will ALSO be infected. Delete and replace those too.
Step 9. Another run of the Exploit Scanner will show you that unfortunately all your plugins are dodgy too - every one of them will have 'god_mode inclusions all over them. You're going to have to delete all of the folders, so you have no plugins left APART FROM THE EXPLOIT SCANNER. That's 'safe', because you only just downloaded it!
Step 10. Run the Exploit Scanner yet again. Hopefully now you'll not have any results, or results that are benign.
Now, its over to Jan for some help, because although we're back running again and clean, we have no plugins. Can we just download and install them again Jan, or will WP complain that it thinks we already have them? Anything else we need to check?
Many thanks for pointing me in the right direction - I might well not have noticed I'd been hacked otherwise