Hey There,
I have fixed this kind of Malware, Virus, Redirect, Adult Redirection, Popup display, Ads Display on-site kind of Problems before.
I am sure your clients' website has to be WordPress based only then only this kind of Issues occurs if,
1 The client doesn't have SSL Certificate
2 Server Rights are Open to Edit, Write, Update
3 Coding Standard are not up to to Mark
4 Use Black Plugins or Third Party API
For Fixing this issues I need,
1) CPanel Login
2) Admin Login
3) A site's Recent Backup File Before Attack
4) Permission to Install Some Wordpress Security Plugin
If you are ready to provide and get it sorted asap, let's discuss further more on chat or call.
Best,
Dhruv Nimbark
Innowyn Business Solutions