Over the years, I have developed a process/procedure to recover a hacked site. While backups are good, it’s not always clear that a backup is ‘clean’ and not hacked.
My process includes reinstalling all code (WP, plugins, themes) manually (themes/plugins via FTP from known good source, WP via the ‘update again’ on the Update page), changing all credentials (hosting, email, users, database), and more; and manual inspection of files.
It can be time consuming, and I believe is much more thorough than automated scanning tools or services.
My process is here: http://securitydawg.com/recovering-from-a-hacked-wordpress-site/ .
Good luck.