JS/Spy.Banker.MP found by ESET, but can't replicate it

[CK020 0]

Hello all, 

By a customer I was notified that our webshop (aalvink.nl) was infected by JS/Spy.Banker.MP.
When I run sitecheck.sucuri.net and virustotal.com I can't find any infection. 

With the help of the forum I searched for 'c2V0VGltZW91dChmdW5jdG' which helped me find 2 files with a line of code with this in it, so I deleted them. 
Because I can't replicate the warning, I am not sure if my site is clean now... Can you please give me some assistance? Much appreciated. 
 

[Marcos 5,088]

The website is infected:

[CK020 0]

Thank you for the information, but I can't seem to find any file containing this script. Can you tell me where to look?

[Marcos 5,088]

5 hours ago, CK020 said:

Thank you for the information, but I can't seem to find any file containing this script. Can you tell me where to look?

Since we don't provide website cleaning and monitoring services and don't have admin access to your website and database, we can't help locate it. We merely see the malicious JS code in the final rendered website's code.

[CK020 0]

Ah I understand, but I read in other treads that you suggested to search for certain (unique) parts of the code... That's why I was asking. 
Although I think I have found and deleted the script.

[itman 1,667]

22 hours ago, CK020 said:

Because I can't replicate the warning

I received the Eset detection alert upon web site product selection box; e.g. https://aalvink.nl/product/varkensnek .

[CK020 0]

Thank you itman, I have identified the infection in the functions.php and cleaned it.