If the free tools don't help you to identify and cure the infection, you need to start digging into the website internals. Many websites are built on a CMS that uses the PHP language and are hosted on the Apache Web server. The following assumes your site is based on PHP. With other Web servers, such as Nginx, there will be slight differences in the procedure.
PHP configuration files, such as php.ini and .user.ini, are used to customize PHP behavior. These files, if compromised, could preload or postload malicious PHP files. They could open up permission settings to provide cybercriminals with more capabilities through website access.
The Apache configuration file .htaccess contains rules for how the Web server will treat HTTP requests. Making changes to this file is a major tactic for traffic-stealing malware. Changing one line in .htaccess can redirect users to a scam site. For example, the following line will redirect all website pages to another domain:
Redirect 301 / http://scamwebsite.com/Examine your .htaccess file for the presence of any suspicious "redirect" directives or other anomalies. Compare your current .htaccess file with the one shipped with your CMS. That will help you to identify all changes and detect any infection