Try grep -r 'top.location.replace'. Bare in mind that the malicious code could be base64 encoded so might look more like "dG9wLmxvY2F0aW9uLnJlcGxhY2U=" (without quotes). Try other encoding options too, as well as grepping for just the IP address encoded.
This will help with encoding: http://www.base64encode.org/