I encountered some particularly smart malware on a site I was working on once, it read the server's log files to determine the IP addresses of the site owners (whoever had logged in via ssh) and when they visited the site, it displayed normally. It could be something similar here.
Search your code for
eval functions, when I've seen sites hijacked like this they hide the malicious PHP code in
eval(base64_decode() and put it in strange places in the file e.g. prefixed by 100 spaces so you have to scroll across in your editor to even notice it.