I was asked to look at an infected wp install where the logon page was something other than a wp thing.
After further investigation I found that the /wp-admin/includes/file.php was totally rewritten. It looks to be a highly complex file containing 1953 lines of pure evil. For lack of a better name, I will call it "spiderpass" because this is name value for the password element of the form that was presented on the bogus logon page.
Does anyone want to see it? I don't know how to ship it to you because my virus checker immediately flags it.
Anyways, I was able to fix wp by simply removing this file and replacing it with a proper one and the site was back in business.
I hope others find this useful and if people want to see it, let me know.