I had this problem on an MT site a couple of years ago. I'm trying to rememebr exactly what I did...I *do* know that if you just partially stop it, it'll just come back over and over again. But once you completely erase it, it usually doesn't come back (I know the MT blog has never had a problem since.)
I know that the 1x1 pixel iframe was at the bottom of *all* of my posts. I also noticed that my permissions to files had been changed from whatever they were originally to 666 and 777 - if I remember correctly, the files in question were originally 755 and 644. So the first thing I did was go through my cPanel and CHMOD'd all the files back to what they were supposed to be. Then I went into my MT system and republished all of my pages - which got rid of the iframe script at the bottom of every page.
But the BIG thing was that there was actually a script installed on my server. Man, what was the path for that thing? When I found the actual script that did it, I deleted the hell out of it, and it never came back. Prior to figuring out that a script had actually been installed, it kept coming back on me - even the file permissions would continue to change.
Oh yeah, I changed my username/password to log in, as well.
AH! there it is. The hijack attempt would download a torjan to your computer (if you were using IE) and redirect your page to Search.ug. Okay, they had added a line to my .htaccess file, as well - so any 404 would be redirected. I got rid of that, and re-uploaded an old (and clean) .htaccess file. The file I had to delete was called "configs.php" - it was in some subfolder of my root system. Once I fixed the .htaccess, removed "configs.php", changed username and password, rebuilt my posts/site and checked my CHMOD settings, it has never returned.
(Wow, lotta info there, eh? Sorry for the novel!)
Hope that helps someone out!