Having switched host, it may take a little time before all DNS servers reflect your new IP address - Strange that it is still present on a .php file that you can’t find. I would check your php templates and see if there isn’t something in there inserting and running the q.php file on page creation.

I visited the site and got a network shield alert, but if I disable the network shield I get an alert on the home page, so there is something present and not just a block on IP address. No reference to the file you mentioned.

I captured and uploaded the element that avast was alerting on to virustotal, VT Results, only avast alerting. But it is a script injection it shows and I can’t see any script tags on that page which appear to be pointing at malicious sites of calling a .php page.