script and iframe virus injected above head tag

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

I’m sorry to hear your sites were damaged. I can’t speculate about how the hacker gained access to your account. But once in the account, normal healthy files can be changed and new files containing malware can be added between sites.

You don’t say how many sites you have in the compromised account. Regardless of the number, restoring from a known good backup is the quickest and surest way to having your sites back. Since you have everything on one account, your host likely has the ability to do a full account backup. Having everything back in 15 minutes or less would be a very good outcome to your situation.

Unless you have a lot of time to kill. Restoring from back up is your best solution. I would make backups of all databases and at least the wp-contents directory and wp-config.php files for each site before you let the host restore – just to make sure your host doesn’t loose something important.