It’s probable that your site was hacked. And that will take some manual (‘by-hand’) investigation. Lots of googles on how to clean a hacked site. But, in general
- change all site/hosting credentials to strong passwords: hosting, ftp, database, WP users
- look for WP admin level users that shouldn’t be there
- look at every file for inserted code
- look for hidden .ico file that contain code
- reinstall manually all plugins/theme code (by deleting the files first, then uploading manually via FTP fresh/valid code
- do the same for WP (delete all WP core code except your wp-config.php file, then upload new/fresh version)
- look again at all code (if you have deleted/reinstalled new code, time stamps should be the same, although some malware will mess with the file timestamp, so looking for different timestamps does’t always work)
- look inside the wp-posts table for inserted posts, or posts that have code inside them
- always ensure latest updates are installed, including running latest PHP version (7.3)
I have a process that I use here: https://www.securitydawg.com/recovering-from-a-hacked-wordpress-site/ , there are others.
Cleanup can be done. But it will require some effort. There is no ‘automatic’ process that a plugin can do.