I've been having the same issue. Have followed all the steps mentioned to clean things up and it reappeared a week later. No strange CGI files in my directories, but I checked all files by date (as we don't make updates often and usually know within 12 hours of the site being down) so have removed some cache files and plugins that may have been targeted and aren't realyl necessary to keep. Guess I'll know soon if it works!
However, I have a plugin called 404 Redirected that tells me when files aren't found and gives me an option to set-up redirects. Seems that "78 dot 138 dot 104 dot 178" is trying to access gddform.php (one of the main files that appears when the issue is present) after I've deleted it. Thought this may be of interest to you.
Ohh and in addition to making my htaccess read only, I've setup a redirect for the gddform file to https://www.youtube.com/watch?v=dQw4w9WgXcQ (might not solve the problem, but I hope it sends a message)!
