I am spam-free now, but my scan is back to not completing again IF I have the 'scan images as executable' option checked.
If it's the same strain of issue as mine -- and you are a little technically minded -- you could check your plugins folder for an image file (JPG or PNG) whose contents include the string 'PHP'. Another indicator of the issue could be deemed by downloading the image files from your install. The rogue file may not have a thumbnail preview in your Windows Explorer.
Also though, the wp_options table in your WordPress database will contain a key called "WP_OPTION_KEY" with the option_value field of that record containing a 'data {.....} entry. That should be deleted.
Backup the database first.
Again, Wordfence DID get it eventually on the attempt where the image scan enabled scan completed. I had to look through the code of the rogue PNG file to find out that it had added entries to the WordPress db. WF did not remove that db entry.
To the author: does the image scan option cause higher memory use than other scan options?
C