The first thing you really need to change is this:
Next I would look at your cache files to see if this code was added there. If so, then someone was probably able to hack your account using a cross-site scripting (XSS) attack, for which there have been several patches since 0.9.2.1. None of these attacks would’ve worked if register_globals had been off, however (whether you’d updated or not).
Given that you’re going to have to do some radical cleaning to be sure that you got rid of any back doors that the hackers may have left, I think that this is probably a very good opportunity to upgrade MODx. I would change all of your passwords, rename the assets and manager folders to xassets and xmanager, upload the new version, and perform an upgrade installation. Then I’d try to restore all your image and other files from a clean local backup and delete the old directories and their contents (and only restore selected files if absolutely necessary from the old installation, since everything in there is suspect now).
No need to wait for the next version of MODx; the current stable release is solid and light years ahead of what you have now.