I tried to figure out the malware ad-code, but couldn't locate it. So, I just re-installed everything and made the installation more secure by using WordPress security plugins like "All In One WP Security", "Better WP Security" and "Wordfence Security"
But be cautious while tweaking settings of these plugins, as over-tweaking may lock-out the site for admins too. Before installing, take a backup of your .htaccess file