ok, so, I think I've found it and it was, erm, hiding in plain sight in the root index.php - a big nasty slug of encoded junk, I found it using the grep tip in the comments of this article...
http://blog.sucuri.net/2014/01/recent-optmizepress-vulnerability-being-mass-infected.html
it makes sense it was there as if it wasn't in .htaccess it couldn't be many other places, I suppose I didn't look because the scan was clean ( fairly poor excuse! )
so, I still dunno how it got there and I really don't know how WordFence doesn't spot it, is there a way of submitting stuff to the WordFence guys?