You may or may not be suffering from the exact same attack we've recently gone through, but it does sound like it. After days of restorals and changing passwords and it happening all over again - in the end we found one person was infected directly on their pc with a keystroke recording virus.
Once the attacker was able to grab a root ftp user and pw, they were able to infect and spread through out that full server and in some cases use what they found to hit another server through that host.
They were also trying to grab ftp software info and just randomly guess at passwords to gain initial access they hadn't already gotten.
It took almost 2 weeks to completely stop and restore all sites from the problem. The infected user had to completely reinstall 3 of their computer operating systems. Then we restored backups where we had them and manually removed from other sites that didn't have a far enough backup with the hack. Then changed every pw for every site to something new and more difficult.
Using Malware Bytes software seem to be able to detect the virus, but if it's that same virus, it infects both the system files that are important and also the restores on the pc. We were unable to find an alternative way to remove the hack from regular pc's without completely reinstalling the operating system.
This probably isn't what you wanted to hear, but hopefully our nightmare will help you solve your problem and maybe you can find a way around losing all your data.