Before you start giving random people your FTP and Wordpress login, why don't you reinstall wordpress?

-checked all plugins for malicious code, and deactivated them

-checked .htaccess in root + subfolders

-installed a fresh copy of WP 2.7.

-checked database for noscript, display,...

It is using an iframe because it retains the correct wp-admin settings url in the nav bar at top but frames the site it send you to.

Let me ask the obvious question. Are you sure what you are clicking is really the settings? I only ask because I have seen links in plugins that are really promotions for other websites and not settings.
Did you download this plugin from somewhere other than the wordpress website? I have heard of themes being hacked and hosted for download on other websites but perhaps it happens with plugins too. Always download themes and plugins from the wordpress website.
Next I would deactivate and delete all the plugins. You can delete them in example.com/wp-content/plugins, test and see if your problem is gone.
If it is then download what you need from wordpress website and try reinstalling and activating one by one and testing.

Hope some of that helps. Let us know

That raises the question too of whether or not you've cleaned out your themes directory. You said you downloaded new versions of WP, but did you get rid of any non-default theme?

Obviously, you want to get your old theme back, but just as a troubleshooting exercise it might be worth it.

Yes, I am absolutely clicking on the settings - very familiar with Wordpress - use it on many sites.

ergophobe - are you saying I should delete all themes except my theme I want to keep?

I'm saying put your site in maintenance mode and delete (or rather move to a directory outside your WP install) all themes and try it with a fresh upload of the default theme.

Honestly, I have no idea if this will work, but it will remove one source from consideration.

That said, personally what I would probably do first is look at the html source and try to find some unique code from the offending page and grep the whole WP install for it and see if that turned up anything and I would do the same with a dump of the MySQL file.

PS - failing finding anything with grep, the next thing I would look for is obfuscated javascript. In other words, they might be doing something like obfuscating the domain by encoding it and then unencoding it with base64_decode() or simply some sort of string concatenation.

You might try loading your pages without javascript to see if the attack is JS based.

So, sorry for my disorganization. In order, I would do this:

1. disable Javascript in my browser and see what happens.

2. grep through all files for some unique text (the domain name or iframe tag or something).

3. do a DB dump and grep through that for the string.

4. move all themes outside WP install and try a known good theme.

5. Come back here for a shoulder to cry on.

Best of luck!