I changed the name of the plugins folder essentially disabling all plugins. No fix.
I loaded a different theme. No fix.
In looking at the injected code, I find this
"Index of /wp-includes/js/lib
Apache Server at http://www.dioceseofcabanatuan.com Port 80"
A search on google for "wordpress http://www.dioceseofcabanatuan.com" shows LOTS of websites with the injection happening ( who probably dont even know it).
I sent a trouble ticket to my host (bluehost).
Anyone seen this or know how to get rid of it?