You only posted half the file here. I posted my email address so you could send me the whole file as an attachment.
Anyway, the first part looks fine so maybe your hosting provider is wrong, or else the threat they are detecting was injected into the bottom of this file.
If what they are warning you about is my default definitions array then they are just wrong. My code looks something like this:
$GLOBALS["GOTMLS"]["tmp"]["definitions_array"] = array("potential"=>array(
"eval"=>array("CCIGG", "/[^a-z_\\/'\"]eval\\(.+\\)+\\s*;/i"),
"preg_replace /e"=>array("CCIGG", "/preg_replace[\\s*\\(]+(['\"])([\\!\\/\\#\\|\\@\\%\\^\\*\\~]).+?\\2[imsx]*e[imsx]*\\1\\s*,[^,]+,[^\\)]+[\\);\\s]+(\\?>|\$)/i"),
"auth_pass"=>array("CCIGG", "/\\\$auth_pass\\s*=.+;/i"),
"function add_action wp_enqueue_script json2"=>array("CCIGG", "/json2\\.min\\.js/i"),
"Tagged Code"=>array("CCIGG", "/\\#(\\w+)\\#.+?\\#\\/\\1\\#/is"),
"protected by copyright"=>array("CCIGG", "/\\/\\* This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited. \\*\\//i")));This is the default array of suspect code to look for, so it is not malicious itself.
Please let me know what hey say to that ;-)