With steps 1 and 2 you are only removing the symptoms of the infection, not the infection itself. Blockings access and changing permission (steps 3 and 4) makes a difference for outside approach of your system. But the infection is already inside your site. So, with these steps you do nothing to remove the infection.
The infection can be anywhere: in your theme, some plugin, hidden in the database, in WordPress core, you name it. The most fool proof way to approach this is to wipe the site entirely and install a backup. Else, you’ll have to go through a lengthy process.