Phishing Link embedded in non-existent URL

Hello all….

Ok here’s the deal… (and before I start I’m one of those “ask tech support at gunpoint” types see below) I have a site that has had some malicious code injected somewhere.

The site itself is fine and everything works, but there’s a “page” that Google made me aware of that doesn’t exist on the site. Let’s say it’s https://website.com and the offending “page” is https://website.com/help and there is no page named help.

WHAT IT DOES: When you go to https://website.com/help it redirects to [moderated] – WARNING! That IS a phishing site!

I have so far…..

1. Replaced all themes.
2. Replaced wp-admin and wp-ncludes folder with originals from 4.4.2
3. Deleted all plugins and checked (phishing still active) then replaced them.
4. Checked the entire site contents locally for base64 text and relevant strings/
5. Downloaded the SQL database file and searched with same methods above.
6. Checked HUNDREDS of files. directories, etc. but not all and didn’t keep perfect track of it, but tried to be very thorough.

This is a site on Bluehost and a subdomain, and I have three other sites on the same account. None of the other sites SEEM to be affected but then again I wouldn’t have even known about this except Google emailed me.

Does anyone have ANY suggestions as to where the offending code or hack could be? I have looked extensively online at many ways to repair other hacks but haven’t found one that has this non-existent URL issue attached to a phishing page.

ANY help or suggestions at ALL would be GREATLY appreciated, I have spent so much time on this that if I can’t get help from the WP community I will have to blow away everything and rebuild at least one and likely four sites from scratch again.

I do NOT want to do THAT. ??

Thanks in advance for any suggesitons!

Chris