Our demo server is under affected by a kind of malware which Suciri calls “Pseudo darkleech”: https://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html
The evidence is the same as described in the post above: /wp-includes/nav-menu.php is injected and .htaccess is re-written everytime. As a result, home page works fine but not other pages (which uses URL friendly)
I have update all plugins to latest version, restore original WordPress files. However, the infection is still there. (It comes back after few days).
Does anyone know about this? Do you have a fix?