Our development and file hosting servers were never reached by the intruders. The file hosting is on Amazon S3, far away from the servers we use for order processing and our general website, which were the ones under attack. And the development systems are entirely separate from that as well.
Even with full unfettered access to the web servers that were breached, there is no link to the actual Media Center binaries, any of the plugins it uses, or our development systems.
The problem with the "proof" you are asking for is that proving a negative is nearly impossible. Malware could be hiding, biding its time - exactly to escape early detection.
As such the best we can do is verify that the servers with this data were in fact never reached, which rules out infection in the first place. Which due to the physical and logical separation is an absolute certainty at this point. Of course we checked!
Additionally, all our binaries are digitally signed. If they had been modified, the signature would be damaged, which is practically impossible to fake. The Signature carries the name of who signed it and the date of signing, which allows us to verify that in fact no binary was ever touched.
All servers that were infected have been entirely rebuilt from scratch, exactly for that reason - we can never prove that we cleaned out everything, unless we just throw away the entire server.