Eli, thanks for the update. It found a 'known threat' in the wp-includes/js/main.is and some other files. I realised that I only ran a quick scan before and now I did for the first time the complete one.
How do I know whether it removed the backdoor of this hack now. I guess I just have to wait a couple of days and see, right?
Thanks for all your help!
