I have the same problem. Additional also our frontend-users are sporadically redirected to the russian URL named above which is fatal.
Our server was attacked this afternoon by several foreign computers (checked logfile). All of them tried to upload files named sm3.php in the theme-directory of our active theme. Possibly malware was injected through thumb.php used by our theme for image-resizing.
I tried the whole afternoon/evening to find a solution to completely clean our site but I still had no luck. There might be several preg_replace code spread out in several files on our server where it should not be. Another strange encrypted file found here was wp.php.
Any ideas?
