Not a security expert, but have, unfortunately, had first hand 'experience' - a few years ago. Yes, when running 1.8 and before I learned about making sure Moodle was updated everytime a security announcement was made from Moodle HQ (register your site and that automagically subscribes the EMail address to a notifications list concerning security issues).
It would probably help to know what operating system, but ....
If a site has been hacked, the malicious code could be anywhere on the system ... not necessairly in the moodle directory or code.
While there is a doc on this topic (link below and note it's not specific to 1.9):
http://docs.moodle.org/23/en/Hacked_site_recovery
Sometimes the only way one can be absolutely sure the server is clean it to wipe it clean ... ie, format disk and re-install the operating system (before that, however, making a full Moodle site backup ... code directory ... especially the config.php file), the data directory, and an SQL dump of the DB for Moodle. Before restoring the backup, inspection of all parts of the backup is also in order.
We all learn ... sometimes the hard way.
'spirit of sharing', Ken