iFrame Hack

I’m sorry, I searched here and while there’s a list of threads, all appear closed on this issue.
I am having the dreaded iFrame hack hit my sites. I know there are “lock down your WP site tutorials” but this has hit me in plain html static pages as well as a Wiki install and a site using PHP to simply create a web based file uploader, passworded.

My Host (1&1) says it’s all on me, the hack not occurring within the server but coming external.

Is there any thorough reference to this which will give a more comprehensive answer?
A number of domains I bought without developing yet now show “reported attack site.” How long will that take to clear up? I mean once code is cleaned up, is the site dead forever?
Last – is there a third party type application that will scan a list of sites and offer early warning? I have too many to scan every day, but few that are developed which I need to monitor. An app would help with the others.

For what it’s worth, I accessed my FTP with Fetch from a Mac. I changed the password to about 30 characters recently, but am now sifting site by site to clean up.

Last, I don’t know if the host is right, is it possible the hack is from within? They’ve not answered my 2 emails sent in last two weeks. Are there better hosts I should consider switching to?