The main issue is figuring out how the code is getting appended to those files. Try removing the code and refreshing the page. If it's still there, something is actively attaching the code to those pages as they get called. Maybe hiring a security/administration company is in your best interest. Good luck!
your host support is correct. most likely you have some bad coded script which have a security hole. many popular free scripts (and paid too) have a many vulnurabilities. if you have installed any free or paid scripts, check vulnurabilities warnings for approriated scripts and if you find anything, update your scripts to newest version and you will be safe (temporarily).
if you have own scripts, check where you allow to visitor, upload any code to your account. for example many beginners not check include function, or use GET requests without checking who send it and from where (not check referer) and so on.
Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168