at my site,
I deleted all of the spam comments, deleted malicious files that they were somehow able to upload to our hosting site, and disabled the ability for people to comment on blog posts, which should stop any further threats.
I then upgraded the WordPress installation and thought that should have fixed things. I am currently unsure as to what needs to be done to remove the warnings