@WFMattR - Matt, all of the sites I've been dealing with are on the same server, different users (we lease a managed WHM/cPanel server to host some of our business clients' sites). I figured cross-pollination was at play. That said, I know of at least 2 clients with similar problems, but each are hosed on different servers (NetSol and private).
I missed the 2nd listing of the affected files WF where I could just restore the original (I usually just see that link or not in the original item)...I'll look again next time I get positive hits (I do recall seeing yellow warnings for files I had just deleted due to red flags in the same report). Hopefully, the mis-labeling goes away in the next release. :D
The datacenter used the domlogs to trace the file changes and estimated mid-August as the time things started (the logs didn't go back far enough to be certain).
As for the backups, our server regularly makes backups automatically; however, I went back a week and found corrupt files, so they were of no use. Luckily, I keep backups of the sites before I push them live so, apart from any subsequent updates, I have a base to work from for comparison of their wp-content directory.
If I find more php files that Wordfence missed, I'll let you all know. At this minute, knock on wood, I think we have things settled as the visitor logs did reveal a few more things I'd missed (Localrelay alerts ceased upon their removal...alerts which started everything, lol). I won't relax until tomorrow morning's email is checked. ;)