The biggest problem is that you guys think you are editing and overwriting your .htaccess files, when in fact, the overwrites are failing. These hacked files are set to “read only” and can’t be overwritten. I seriously don’t think they are replacing themselves — you guys just aren’t changing the permissions before attempting an overwrite.
@old_fart – I did everything that you listed. My site is working perfectly fine.
@Richardline – Here’s detailed directions of what I did:
1. Change all passwords
2. Look in EVERY directory and delete the suspicious PHP files as mentioned previously.
3. Look in EVERY directory for a .htaccess file and delete it or overwrite it with your desired .htaccess file. Overwriting will not work unless you first change the file permissions of the infected file to 0644 before overwriting.
4. If you are overwriting your .htaccess files instead of deleting them, be sure to delete all of the hidden code at the top and bottom of each file. A lot of white-space was added to hide the code from you.
5. Add a 404 redirect to your new .htaccess file if you haven’t already done so. I created a 404 page named “example.html” and added this to my .htaccess file(remove the quotes): “ErrorDocument 404 /example.html”
6. Manually test your site to see if it’s working, and also test with https://sitecheck.sucuri.net/scanner/
Let me know if this works for you. My site has been up for 7+ hours since doing these things.