Hi,
Finally found the problem. Plugin WPCode was installed by the hacker and a PHP snippet was run each time the website was loaded. PHP snippet was stored in wp_options under wpcode_snippets option name. The snippet was doing many thing, including hiding the WPCode plugin from the admin side…
Hope this can help someone else having similar issues.
Mat
