Here is a nifty thing. I am getting attacked on a regular basis with the Pharma hack and one thing it does is add their malware file AND removes the main exploit-scanner php file - deletes it.
I have WP-File Monitor active and caught it so I just delete the bad file and delete and reinstall the plugin manually.
Auto update refuses to reinstall it since the folder still exists.
The Pharma attacks are really ticking me off as I've followed all the various security tips and the hackers just injected a new file and removed another. *sigh*