Just found your plugin a few hours ago, and have installed it on my blog that has continuously been under pharma hack and log-in attack after massive 6 month-long attempts to eliminate it.
ran the scan and had both the log-in php page and the WebsiteDefender Agent and verification file ID'd as backdoor scripts.
repaired the log-in file, but am leery of trying that on the WebsiteDefender Agent and verification file. when you click show the 'Found' it turns whole page blue.
and WebsiteDefender still shows numerous bad links to my site. I did put a kind of humorous Page Not found up. so...
an example of one of the poison links from last few minutes is this:
I have done just about everything but close my site.
So any suggestions?