I found such a library, but in woocommerce it's more prettier.
xbsoftware.ru/produkty/enjoyhint

first, look in .htaccess for left redirects or auto_append_file / auto_prepend_file - this is usually how malicious code is inserted into WordPress.
is not found in .htaccess - then look here cssing.org.ua/2008/06/01/wp-footer-exploit/
and don't forget to update wordpress to the latest version!

The virus most likely goes through the infected machine via FTP. Go in that direction.

The virus may have entered the web directory. To find it, you can try to do the following:
1. Copy all files from the web directory on a regular machine to a separate directory;
2. In a file manager like FAR, start searching for files in this directory with the contents of some fragment of the virus code.
Naturally, this is a half measure. You need to look for possible causes of hacking and eliminate them - on your own or through hosting admins.

You can also see if there are any recently changed files, often "coolhackers" are fired with this.

What kind of hosting: shared, vds, vps? WP version? How can content (plugins) be loaded? Permissions for folders and files? FTP/SSH? File version control? There is a lot to guess. Help give you an answer.

Faced a similar problem. Only I had to cure not one, but many WordPress. I even had to write a separate script for such a case. I share : blog.nkuznetsov.me/2012/11/wpdiff-tool-for-wordpress-comparison.html
Using this script, you can:
1. compare the current installation with the original one and see if the "bug" fits into the kernel or not
2. also you can compare a healthy version (from a backup, for example) with a sick one and determine which plugin has changed

a lot of experience in cleaning and protecting against such a scourge.
I recommend notepad++ with bulk text replacement.

First of all, check your local computer. All trojans get through FTP. Download the entire site locally and check it with a good antivirus.