WordPress Hit Counter hacked?

On 6/22/10 I installed the plug-in WordPress Hit Counter (v2.3, by Gary-Adam Shannon). Very shortly thereafter, my site had a bogus wp-content directory installed at the same level as the wordpress directory. In the subdirectory wp-content/cache/hookd/MYDOMAINNAME.com/ there are two files: 8b8203326e2a9c70947a and index.html. the latter is empty; the former contains code that I hesitate to reprint.

The effect of this is to add a Blogroll section to my sidebar with a link named Online Gambling pointing to http://www.onlinegambling.eu.

When I try to reset permissions on the bogus folders to delete them, it creates a duplicate directory the next level up, but doesn’t change permissions on the original. I can rename the bogus directory, but that doesn’t affect it.

Also, note that my site is a sandbox; its URL has never been published and it has never been publicly accessed. Unless there is some hook in the WordPress code that allows hacking, this plug-in seems the only vector for this hack.

This is similar to a post under Troubleshooting entitled “My Site Hacked?” (http://wordpress.org/support/topic/411714?replies=3#post-1576319). I have pinned it down I think to the installation of WordPress Hit Counter.

Any help in getting rid of these files would be greatly appreciated.