Further update on the cleansing of my site….
I’ve purged what appear all the bogus/changed core files that may have been the cause of the hack, although I’m not completely confident….I need to look through all my plugins. But, most important, I found that this hack is using an entry in the table wp_options to hold a key/value pair, containing the spam message (in reverse, which is a signature of the pharam hack). Specifically, check out the record whose name is _textalternate2 and you’ll see the offending code.
So, it’s a start…