I understand what you were saying now… you were saying that bronwynjamrok.com was hosting malware (which I was already aware of - I found out about this when I got a burst of emails from visitors warning me about it) and I originally thought you were saying that my sites were actually hosting the malware.
I only have the hideous script injection which leads people there.
I do have a general ‘site notice’ mysql db call on both of these sites (jiltanith.thefifthimperium.com and baencd.thefifthimperium.com), but beyond that, they use flat files for their normal operation.
I do not have any user authentication for site access for either site.
In neither case was the file datestamp altered, so using the method of searching for recently altered file timestamps would not help.