Good morning Paul,
To add to Ken's comments, those files should NOT be on your server and they are "normally" not in the download zip either. I just checked.
wsMetNoSA/lang/wsLanguage-de-local_infoold.php correct name => wsLanguage-de-local.txt
wsMetNoSA/lang/wsLanguage-en 2_ver1.php correct name => wsLanguage-en.txt
weather28/ewn_frc/js/highcharts.min.js
=> the folder ewn-frc/ is not used anymore, as Henkka continually enhances the ewn scripts, so they are run in an iframe now. You can delete the complete folder as they are not relevant for Canadian users.
=> I compared your weather28/..../highcharts.min.js file with the original distribution, they are identical, so this is a "false positive"
Question 1: can you please give the links to the other "3 more add on script" files? Those are not Saratoga ones, maybe Leuven?
Question 2:
The big question is: How do those files arrive at your sites? Someone is/was uploading those files.
You host multiple websites with different URL's, is only one site flagged or more then one?
If multiple sites are compromised, do you use multiple FTP ID/passwords, one for every site?
Or do you use 1 FTP ID/password for all sites?
Wim