Hi Eli -
I ran the scan and your plugin found 5 PHP files and one backdoor script. I clicked on the auto-fix and all six were dealt with successfully.
I then went to the host and removed the bad .htaccess file, then reset permalinks on WordPress. Site is back, for now.
I will continue to monitor. I'll send another status report in the morning. If this is done, maybe you can suggest good post hack tasks. I imagine changing salts and dbase password is probably a start.
Thanks so much for your help!
Cynthia