If you cleaned it with my Anti-Malware plugin then you can look in the Quarantine to see the exact infections time of that file. Then check your raw access_log files to figure out what script was used to infect and re-infect your header. If you find the malicious script responsible please send it to me so I can add it to me definition updates.
Aloha, Eli