Thanks Ken,
The site is being run on Centos. This looks like it is going to be a lot of stress.
Best regards
CentOS ... that's a start! (and good in that it might be fairly easy to 'fix', depending upon factors - less stressful than you think).
Are you remotely hosted? IF so, with whom (who is provider)?
Do you have command line access to the server? (ssh)
Could be that your server has been targeted by a bot of some kind. Check users on the system for 'strange' (by that I mean not normal) users with EMail addresses not normally used by your 'typical clients'. Delete the ones that are un-confirmed - and take note of their domains (funnyuser@some.info - the 'some.info' are the domains).
If server is set up for EMail based registration, one might have to limit the EMail addresses to known domains of your typical clients - reject those domains you noted above.
You say you've upgraded to version 1.9 … the highest/most secure version: 1.9.19+.
How did you do that? Reason I ask, could be, the file/files of the 'infection' *could* (not saying they are) still there and accessible by whom ever.
Does this involve only chat? ie, that's the only place one sees 'strange behavior'?
'spirit of sharing', Ken