Announcement

**Merjawy** · Tue 26 Jun '12, 9:36pm

Sounds like you still have issues, could be transfered from your PC to your site..., make sure you scan your files, change your passwords and upload clean copy.

The code could hide in many php and htm files and easy to miss.

Also, it could be in some thread(s) on your forum and not the files.. I would ask your mod what part of the site was he on when he was alerted to virus.

**beishe8** · Tue 26 Jun '12, 9:59pm

Originally posted by John h View Post

My antivirus doesn't show any warnings (It did when the problem first occured, but doesn't now).

Mine does clicking on www.modelpowerboat.com:
http://safeweb.norton.com/report/sho...source=toolbar

Edit: Perhaps both Google and Norton do not like redirections to doubleclick.net?

Code:

http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7005778430025579&output=html&h=15&slotname=5182904917&w=728&lmt=1340778129&flash=11.3.300&url=http%3A%2F%2Fwww.modelpowerboat.com%2Fforum.php&dt=1340778130148&bpp=2&shv=r20120620&jsv=r20110914&correlator=1340778130194&frm=20&adk=802579221&ga_vid=469533974.1340778130&ga_sid=1340778130&ga_hid=914882764&ga_fc=0&u_tz=600&u_his=3&u_java=1&u_h=1050&u_w=1680&u_ah=1010&u_aw=1680&u_cd=24&u_nplug=23&u_nmime=109&dff=tahoma&dfs=13&adx=360&ady=191&biw=1447&bih=850&oid=3&ref=http%3A%2F%2Fwww.modelpowerboat.com%2Factivity.php%3Fs%3Dd971b1cb8c1d79260d4a61e7fcc4609c&fu=0&ifi=1&dtd=75&xpc=ZJ2R9Odtdm&p=http%3A//www.modelpowerboat.com&rl_rc=true&adsense_enabled=true&ad_type=text_image&oe=utf8&height=15&width=728&format=fp_al_lp&kw_type=radlink&prev_fmts=728x15_0ads_al_s&rt=ChBP6qagAA1wLQqkHo__NEsSEg9TcGVlZCBCb2F0IFRvdXIaCFSnRx2Lqw4oKAFSEwie-K_o4-2wAhXMgKQKHTBRuRI&hl=en&kw0=Power+Boat&kw1=Boat+Registration&kw2=Boat+Bill+of+Sale&kw3=Speed+Boat+Tour&okw=Speed+Boat+Tour

**Merjawy** · Tue 26 Jun '12, 10:04pm

Not all antivirus programs alike... I found that out many moons ago. I use Avast, I don't wanna bash any programs but some are well known but are worthless...
I did click on your site and went through the tabs and got no issues... It could be in your threads like I said if google and your mod saying there is still an issue.. I didn't go through your threads!!!

**Wayne Luke** · Tue 26 Jun '12, 11:10pm

Would be interesting if Google didn't like redirects to Doubleclick... Google owns Doubleclick.

1) make sure all your files are proper. Delete any files not part of vBulletin. You can use the suspect file diagnostic for this. Maintenance -> Diagnostics.

2) check all your plugins against the code they are originally installed with. There should be no plugins assigned to the vBulletin product that you didn't write yourself.

3) make sure your using the latest version. That is 4.2.0 PL 1

4) run the template fix tool from vBulletin.org. http://www.vbulletin.org/forum/showthread.php?t=281080

5) make sure your server is secure.

**beishe8** · Tue 26 Jun '12, 11:40pm

Originally posted by Wayne Luke View Post

Would be interesting if Google didn't like redirects to Doubleclick... Google owns Doubleclick.

Thanks for the info.

**Amaury** · Wed 27 Jun '12, 8:39am

Originally posted by Wayne Luke View Post

Would be interesting if Google didn't like redirects to Doubleclick... Google owns Doubleclick.

1) make sure all your files are proper. Delete any files not part of vBulletin. You can use the suspect file diagnostic for this. Maintenance -> Diagnostics.

2) check all your plugins against the code they are originally installed with. There should be no plugins assigned to the vBulletin product that you didn't write yourself.

3) make sure your using the latest version. That is 4.2.0 PL 1

4) run the template fix tool from vBulletin.org. http://www.vbulletin.org/forum/showthread.php?t=281080

5) make sure your server is secure.

Just a small correction. The latest version is vBulletin 4.2.0 Patch Level 2, not 1.

**Merjawy** · Wed 27 Jun '12, 8:41am

Shshhhhhh,, don't tell Wayne

**Wayne Luke** · Wed 27 Jun '12, 8:45am

Originally posted by Amaury25 View Post

Just a small correction. The latest version is vBulletin 4.2.0 Patch Level 2, not 1.

one of the issues of posting at 12:10 a.m. But yes, you're correct.

**Amaury** · Wed 27 Jun '12, 8:59am

Originally posted by Wayne Luke View Post

one of the issues of posting at 12:10 a.m. But yes, you're correct.

Always happy to help.

Also, we have the same time zone.

**TheLastSuperman** · Wed 27 Jun '12, 9:52am

Originally posted by John h View Post

I'm at a loss as what to do.

Any ideas?

BTW: my site is www.modelpowerboat.com

Try the info in this article - https://www.vbulletin.com/forum/cont...vBulletin-Site see if you can't identify the issue and remove it yourself... it they keep seeing something present on the site chances are it is in fact still present and not residual.

**borbole** · Wed 27 Jun '12, 9:54am

I would also recommend that you talk to your host about it so they can check their logs for around the time of the infection and see what happened and how it did happen.

**Home Alone** · Wed 27 Jun '12, 10:19am

Originally posted by John h View Post

My Forum/CMS has been infected with Malware and Google has listed it as an attack site. At first I was getting redirected to some site so I could plainly see there was a problem. I went through and deleted all files on the server and uploaded a fresh copy from vBulletin. I created a new default style and thought I was all ok.

I've been playing tag with Google for about two weeks now requesting a review to have my site unlisted as an attack site. Every time I request a review google come back saying I am still infected. When ever I look at the pages they say, I can't see anything wrong. I even tried the "Fetch as Google" tool from Google Webmaster tools and I still can't see anything wrong. My antivirus doesn't show any warnings (It did when the problem first occured, but doesn't now). One of my Moderators PM'ed me last night saying his antivirus still gives him warnings that the site is an attack site.

I'm at a loss as what to do.

Any ideas?

BTW: my site is www.modelpowerboat.com

I checked your site here: http://sitecheck.sucuri.net/results/...powerboat.com/

According to them your .htaccess file may have suspicious redirects: http://labs.sucuri.net/db/malware/malware-entry-mwhta7

Have you checked the .htaccess file?

**John h** · Wed 27 Jun '12, 10:35pm

Thanks for all the replies. The htaccess file had been modified and it was hidden way, way, way to right of the file so it could be seen. I think it is all fixed now.

**TheLastSuperman** · Thu 28 Jun '12, 8:35am

Originally posted by John h View Post

Thanks for all the replies. The htaccess file had been modified and it was hidden way, way, way to right of the file so it could be seen. I think it is all fixed now.

We are all here to help

. Do me one favor though if you have not already, run the queries listed in the article I linked you to and run suspect file versions... basically I'm telling you to double-check it all and ensure nothing is still present on your server, this way there's absolutely no hidden point of access or other still remaining

.

vBulletin 4 End of Life

Announcement

Help Malware Infection that I can't see - What to do?

[Answered] Help Malware Infection that I can't see - What to do?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment