Think taking the approach of replacing 'suspicious' files is the harder route to go. in a moodle 3.1 code directory, as an example, there are 34716 files. No one here in these forums has actually suggested taking that approach. That's because there is too much unknown.
Is the site customized? ... ie, core files changed? Does the site have addon/plugins? IF not, it's a 'stock' site and the only file one needs to keep is the config.php file - which is pretty easy to fix IF it were changed (most likely whatever it is hasn't changed config.php file ... too obvious).
'spirit of sharing', Ken