Hi Eli -
I am writing because, in my experience, you have the best anti-malware plug-in around for developer types. It is far superior to things like Sucuri or Wordfence, and in fact, have helped me find hacks that even Sucuri's paid service have not resolved. (Yes - I've donated!)
Anyway. Today I have come across a new form of hack. I have a client site where the home page is visible, but any URL to a menu - any Permalink - does not work. The reason is that the .htaccess file written by WordPress gets replaced within a few minutes by an .htaccess file written by the malware. This appears to be some type of SQL injection hack. The PHP files I have removed from the client's file structure include a file called startup.php in the root file system and a file called something like inxstat.php in the wp-content directory that contains about 20KB of gibberish.
Running Anti-Malware subsequent to removing the files turns up nothing of interest. Yet I wait a little while and the hack returns.
I am wondering if you have seen this one before. The folks at GoDaddy said that this is the first they have seen of it - but they've had several instances today. I am happy to work with you directly if you would like to examine it first hand.
The affected site is http://www.clace.us/ - all plug-ins & themes are at current versions and WP is updated to 3.9.2.