I've been hit with this "pharma hack" going around. (see http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php) for details.
Anyhow, I've done all I can to get rid of this thing, yet the rogue plugin files and database entries keep appearing. Within the _options table row, 3 entries will consistently appear no matter how many times I delete them. "wp_check_hash", "class_generic_support" & a malicious rss entry. Somehow these entries write malicious files into random plugin folders that have "ext-", "db-" or "class-" appended to them.
No matter how many times I delete them, they keep coming back. I've increased all of the security I can, and have all permissions set to where they should be. This is obviously an exploit of the wordpress install.
Has anyone figured out how to clean this thing out for good?