I notice today when two members made posts about their donations.

I checked my paypal account and there's was $0 , so I told them double check and they
send me a transaction confirmation ID, I was using vBDonate plugin for donations,
so I checked the setting and the paypal email was changed to a different email.

I started to check everything and find when I click on ranks in the admin cp
I get this:

http://postimg.org/image/7cfz7pie3/

It has been almost 6 hours I've trying to figure this out reading and doing some other stuff
and I still can't get rid of it.

I was using vb 4.1.10, I upgraded:mad: to 4.1.12 thinking that will fix the problem and still there.

Any help will be greatly appreciated.

This may be a good start.

http://www.vbulletin.com/vbcms/content.php/813-Recovering-a-hacked-vBulletin-Site

Thanks for your reply.
Yes, I did that and also a few other things, followed all steps.
I also change ftp, db, passwords.

I've also checked .htaccess file and config.php file as well and I don't see any modifications.

I've also use this template tool if the malicious code was int he template but still doing the same.
https://vborg.vbsupport.ru/showthread.php?t=281080
and that tool "teamps" is still there.

I would:

Download the same exact version of vBulletin your currently running from the members area and have it ready for upload.
Delete the /install/install.php file and the config.php.new.Then upload all the new files, change your admincp and modcp folder to a different name, then change your config.php to reflect the new names, and see if the issue still persists.

Thank you for your reply.
I did it and still the ranks link showing up "TEAMPS" tool.

I see in that tool when trying to click in something it shows the link as this:

I don't really know where to look.

Disable all your plugins.

Open your config.php and below<?php add this line:

define('DISABLE_HOOKS', true);

So it looks like this:
<?php
define('DISABLE_HOOKS', true);
/*================================================= =====================*\
|| ################################################## ################## ||
|| # vBulletin 4.1.4

And see if that fixes it.

Thanks for your response.
adding that code was working fine.

after disabling, and enabling one by one, I find out that the plugin called:
GlowHost - Spam-O-Matic, was the one with the TEAMPS tool, I removed and then it was fine.
Now I'm adding more security ".htacces , htpw, etc."
Thank you.

Not a problem, glad it's sorted. :)

delete the install folder!

I would:

Download the same exact version of vBulletin your currently running from the members area and have it ready for upload.
Delete the /install/install.php file and the config.php.new.Then upload all the new files, change your admincp and modcp folder to a different name, then change your config.php to reflect the new names, and see if the issue still persists.

At this point the entire /install/ directory should now be deleted, not just install.php.