Thank you @tvvpmi. That did the trick!
I've been searching through a database-dump of the database for traces of suspicious JavaScript or iframes, but they only tempered with one specific ad for some reason. There were no PHP-files in the images folder though..
Like you've suggested: I've removed the ability to execute PHP-files in the images-folder, and the installation haven't been compromised since.