Overwrite core WordPress files first. Run WordPress Exploit Scanner to root out anything in the database, and WordPress File Monitor as a tripwire going forward.
That's what I did when I had this same issue happen to me on my WP installs (yeah, the same hole infected other sites on the server). These plugins showed me what files on my server had be changed and where the offending code was.
How old is your WP install? The hole could actually be in a plugin you are using. That was the case with me.
Also, TimThumb.php was recently in the news as having a security hole in it.
http://wordpress.org/extend/plugins/exploit-scanner/
http://wordpress.org/extend/plugins/wordpress-file-monitor/
That's what I did when I had this same issue happen to me on my WP installs (yeah, the same hole infected other sites on the server). These plugins showed me what files on my server had be changed and where the offending code was.
How old is your WP install? The hole could actually be in a plugin you are using. That was the case with me.
Also, TimThumb.php was recently in the news as having a security hole in it.
For good measure, here is the Hardening Wordpress article from WP: http://codex.wordpress.org/Hardening_WordPress