I had a non-RW site hacked with what is called a php spam injection hack, and found the hacker had put an .htaccess file in the root which referenced a number of .php files that were rewriting thousands of spam links on many of the pages of the site. There was also a folder with about a gb of files, each a few kb in size. So you have to log into your account with an ftp app and delete all those alien folders and files. They hid many of the malware files in existing folders or new folders. Sometimes they were named randomly, other times they had names that were variations on existing file names. It might be easier to delete all the files on the server and re-publish all files with RW. After i cleaned out all the malware files and my existing files, i re-published and Google approved the site.
Btw, this site was a shared hosting account with Godaddy, and after checking a few other sites that i administer that are also hosted on Godaddy, i found many of the same malware files in place as if they were waiting to be activated. When i searched Google about the php injection hack, i found the issue is apparently widespread with Godaddy. When i spoke to Godaddy tech support they were not surprised at all and said it’s a very common occurrence and the only recommendation they had was to change the password every couple of months and took no responsibility for their poor security. Typical Godaddy support.