One of admin found the injection in WP db itself. he ran The ran a sql query to remove the entry containing the injection.
mysql> use ******_live;
mysql> delete from wp_options where option_id = '42131'
That seems ot fix otherwise the injected code was even hiding the rest to defaults. Pretty horrible took 3 days to cleanup the mess.