You could use the PHP File Change Scanner which is part of Admin Tools. What you described this software is doing is exactly what our PHP File Change Scanner does. However, I don't think you even need to do that.
Your threat surface is very limited: one directory where people upload stuff. This is easy to guard.
First of all, disable direct web access to that folder. You can use the .htaccess Maker in Admin Tools or a simple .htaccess.
Then you need to limit what is being uploaded. Assuming that uploads go through Joomla! you are already protected by Admin Tools and Joomla! itself (we contributed Admin Tools' UploadShield to Joomla! a couple of years ago).
In the off-chance that something executable goes through the .htaccess will prevent it from running. But you can also run a CRON job which looks for .php, .php3, .php5, .phps, .inc, .py and .pl files in the upload folder and delete them. Running this every 2 minutes is enough and doesn't increase server load.
Better yet, your forms should not handle uploads naively (trust the filename sent by the remote client). They should rename the uploads to a random name without an extension, e.g. like we are doing with Akeeba Ticket System. That eliminates the need for scanning in the first place.
The only thing that's not covered by that are Windows and document viruses / malware. I think this is best left to an actual antivirus running on the client computer where these files are eventually downloaded to. Otherwise you're looking at a more complicated setup which may or may not work properly.
As for myJoomla and Sucuri, they offer different kinds of services. myJoomla would check if your site is hacked and help you clean it. That would make sense if your forms are badly written and you are not sure if they have gaping holes which allow people to upload arbitrary files to arbitrary directories. Until you can audit your code myJoomla should be a good option, on top of Admin Tools' PHP File Change Scanner.
Sucuri, on the other hand, deals with inbound malicious traffic. Of course Admin Tools' Web Application Firewall also does the same. I see them as complementary. Sucuri can handle the bulk of the attacks since it's a service sitting in front of your site. It will block stuff before it hits your server, reducing the server load. Admin Tools will catch those cases which require knowing the application state to accurately judge maliciousness.
TL;DR: You can have more than decent protection just with Admin Tools. Third party services are a good thing, if you can spare the expense, but not a mandatory ingredient for your particular use case.
Nicholas K. Dionysopoulos
Lead Developer and Director