I've experienced the exploit scanner file (xs.php) being removed from the server immediately after uploading. It was our hosts security protocols screening the uploaded file which deemed it a security issue and immediately removed the file. I'm willing to bet that's the same case with your host.
If that login function file is being removed from the server immediately after upload, then it's a possibility that file you have contains malicious code and is being removed by your hosts ftp security protocols. (as in your backup may contain malicious code). You could use a program like WinMerge to compare that file with a fresh version from the downloaded cmsb zip to check for differences.
Site hack cleanup can be a tedious task... there are also services such as Securi that you can contract to help you. Best of luck to you.
that's what I am thinking is happening as well. The problem is that I'm not uploading files from backup, I'm using the original source files from the interactive tools install package. The one catch could be that I'm trying to install from v2.65. I am going to try to upgrade to v3.07 to see if helps.
Upgrading to v3.07 resolved the issue. I am assuming there is some legacy code in v2.65 that server didn't like/trust.
From time to time it has happened that we discover that a specific host has a firewall or anti-virus app that falsely identifies some source code as malicious and doesn't allow it to be uploaded. In those cases, we modify the code if it's easy to do.
An example might be some code such as: "SELECT * FROM tablename". If the host had an issue with that we might change it to something like "SEL" . "ECT * FROM tablename" to bypass the overzealous security filters.
So it could be that. But in any case, glad it's working now and let us know if you run into any other issues.