I just went through a challenging few weeks trying to remove some malicious code on a couple client sites. Two things would happen:
1. When accessing the site directly, i.e. typing the url into the address bar, the site would load very slowly, and if you watched activity, it appeared to be waiting on a couple urls for outside sites, often foreign.
2. When searching for the site in a search engine, and when the link was clicked, the site would redirect to some horrible other site.
I discovered malicous code buried in my header.php file (your-site/wp-content/themes/your-theme.
The lesson learned is to search all your files for bad code. It's identified by usualling being an exception to the php code, it often a big block of data, rather than elegantly laid out like most php files, and in this case I could actually see "redirect", "referrer" and the evil urls in the code that I could see the site trying to access.
Suggested note:
Edit your file by copying out the bad code using your hosting company's file manager, or if you use FTP, the reader you use with that. Keep the file open after you save it! Try your site. As happened to me, I cut out just a bit too much and had to add back a header referrence.
Also, expand your theme in your computer file manager/folder. I was able to find the same header.php file there, compare it to the one online, and see the code problems. Not all files will be available like that, but many are.
And keep your site updated! Use Malware plugins, add a firewall, and modify your .htaccess file for more protection as per this article (it refers Revolution Slider, but its good advice for almost any site):
http://www.ericnagel.com/how-to-tips/revolution-slider-security-hole-fix.html