Sorry to hear that ...
Eli's plug-in does clear the issue for me, but it comes back eventually. To block that behavior, I run a scan, clean stuff up, then manually delete the .htaccess file from root. I then reset permalinks, go back to the root directory and set permissions on .htaccess to 400 so it cannot be overwritten. I think Eli added some support to cleanup the .htaccess file since the last time I did the manual method, but you would still need to do the permissions change on the good file to protect it.
I'll let Eli chime in on that. Also, we are both monitoring my client's site for reoccurrence in hopes of finding what is making the hack come back when I don't have the .htaccess file protected.
Cynthia