Chrome is giving a warning that my site is infected with malware. Anybody have any experience with cleaning this up?

Link to site

<a href="http://www.vspotlounge.com/forums/forum.php" target="_blank">www.vspotlounge.com/forums/forum.php</a>

Here's what Google says about it:Safe Browsing
Diagnostic page for vspotlounge.com/forums

What is the current listing status for vspotlounge.com/forums?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 107 pages we tested on the site over the past 90 days, 99 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-11-20, and the last time suspicious content was found on this site was on 2013-11-04.

Malicious software is hosted on 1 domain(s), including llamaralac1975.tk/.

This site was hosted on 1 network(s) including AS26496 (26496-GO-DADDY-COM-LLC).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, vspotlounge.com/forums appeared to function as an intermediary for the infection of 6 site(s) including bullrunrally.com/, thepicsorbs.com/, uberbets.com/.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.Firefox alerted on it as well.

Here's what all your home page is loading:

http://www.webpagetest.org/result/131220_7B_2Z0/

Items 37 and 38 aren't familiar to me, are they to you? Item #4 is a XML application, looks suspicious but renders a 404.

<a href="http://sitecheck.sucuri.net/results/www.vspotlounge.com/forums/forum.php" target="_blank">http://sitecheck.sucuri.net/results/...rums/forum.php</a>

http://sitecheck.sucuri.net/results/www.vspotlounge.com/forums/forum.php


Thank you.

I check those specific pages and couldn't find the code in there

--------------- Added 1387553465 at 1387553465 ---------------


Items 37 and 38 aren't familiar to me, are they to you? Item #4 is a XML application, looks suspicious but renders a 404.


No they are not. Have no idea how to clean that up though

No they are not. Have no idea how to clean that up thoughThose ARE the malware, as a closer look at the request reveals:GET /tmp/api.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.vspotlounge.com/forums/forum.php
Accept-Language: en-US
X-Download-Initiator: html="doc 0C40 win AAA0; html frame appendChild"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/153
Accept-Encoding: gzip, deflate
Host: finansecity.pl
DNT: 1
Connection: Keep-Alive
And appear to be in /tmp/api.php

The second one is in a different location:GET /tmp/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.vspotlounge.com/forums/forum.php
Accept-Language: en-US
X-Download-Initiator: html="doc 0C40 win AAA0; html frame appendChild"
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) PTST/153
Accept-Encoding: gzip, deflate
Host: finansecity.pl
DNT: 1
Connection: Keep-AliveThese files are not part of vBulletin. I think your board has been hacked and you should follow all the protocols for cleaning it.

This is known malware, I have seen it several times before and it is in my library of exploits. Use the standard vBulletin recommendations for eliminating an intrusion. It will work if you follow each step carefully.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked (http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked)
http://www.vbulletin.com/forum/blogs...vbulletin-site (http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site)

Also please see these recent security announcements:
http://www.vbulletin.com/forum/forum...-1-vbulletin-5 (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5)
http://www.vbulletin.com/forum/forum...d-all-versions (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions)