I can't find any CURRENT info about this here, or on the .com support forum - it all seems to be from about 2013. As far as I can tell, the posts Google finds that cause the problem are all old ones.

This search: https://www.google.com/?gws_rd=ssl#q=colonial+clock+1729 returns the following result - (slightly obscured by me in this post in case it actually IS dangerous)

ZZZ.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAA&url=http%3A%2F%2Fmb.nawcc.org%2Fshowthread.php%3F1 03674-Colonial-Grandmother-model-1729&ei=qY3uVNGkHYWryASX7YLwDA&usg=AFQjCNEZafzDDfRC-ef5Tq5t80JbXe680Q

I'm finding so much conflicting information I don't know what to believe - "Your site IS infected" or "It's a vB problem" or "It's Google's problem" or "It's the user's Windows computer that's infected"

I HAVE scanned our site using various online tools, and everything I've done leads me to believe that we're clean. And I've scanned my Windows machine using several different AV tools with nothing found.

Sometimes there are 3rd party links hidden in a post anywhere on a site or forum content and you get this ... a simple image that is being served from somewhere else besides your site can make "Avast" spit that out ... I have avast and it does that all time time ...now not on our site but other sides and very rarely on ours ... If I see this pop up on our site I stay on that page and look at all the content on that page when Avast spit that out ...

Be glad that Avast actually catches all that ... and I wouldn't worry about it that much either ... do you have a link to your site where I can go that might spit that out from time to time?

Not getting anything with the link

Not getting anything with the link

Me neither ... Like I said ..it could of been a link somewhere or even an image and Avast decided to spit out a false positive which is know to do quite often ... I wouldn't worry at all ...

I haven't been able to generate any AV hits using this direct link to the post: http://mb.nawcc.org/showthread.php?103674-Colonial-Grandmother-model-1729

And using Google's link, the behavior is so darn unpredictable I don't know what to think.
Caution: Here's the un-obscured link:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB4QFjAA&url=http%3A%2F%2Fmb.nawcc.org%2Fshowthread.php%3F1 03674-Colonial-Grandmother-model-1729&ei=x5zvVKizIbWJsQSz1IHQAQ&usg=AFQjCNEZafzDDfRC-ef5Tq5t80JbXe680Q&sig2=DhhGlOZgmSda8GPqcUCzFQ

But we're getting complaints from users, and one of the moderators reported the problem to me privately last week, with a screen shot identical to the one I posted here. The mod was using Avast, so I installed it and couldn't reproduce it last week, but I HAVE been able to intermittently reproduce it last night & today from the complaining user's link. I don't know what AV anyone else is using - they haven't replied to my question.

P.S. The screen shot I posted was from MY computer last night. And the AV hit was on my HOST computer's screen when I followed that Google link in my VIRTUAL XP. I disabled the Avast on the HOST, and the message showed up again from the VM's Avast.

I'm fairly sure our MB is NOT infected, but it might be difficult to convince our visitors of that.

- Upload 100% fresh files from a brand new vbulletin .zip (download the exact same version you're on now, once you fix the exploit/virus you can then upgrade but not before).
- Check to see if you're using a version that's still utilizing an outdated and prone to exploit swf file: http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4014473-yui-flash-uploader-exploit-and-the-vb-recommended-fix (if so then use this: https://vborg.vbsupport.ru/showthread.php?t=307008 )

It sounds like the filestore72 or 123 exploit from a while back, so basically you're only being redirected to malicious/porn/similar sites from the Google links correct?

- If no then its another exploit/virus.

- If yes upload fresh files like I mentioned above, then go to AdminCP > Server Settings and Optimization Options > User Remote YUI > *If that is set to google or yahoo or none change the setting to check, if changing to google or yahoo does not work try none and use local files (you just overwrote any bad files with fresh files remember) and no clear your sites cache, your browser cache, AND cookies - close your browser afterwords and DO NOT follow any bookmarks (delete those if you had them saved in browser and remake them)... now when you re-open your browser go to google and check the sub-links are they fixed?
-- If fixed now upgrade.
-- If not fixed then its more than likely not filestore72 or a variant.

*Also use suspect files in admincp > maintenance they could have dropped a shell script on your server, modified plugins and or edited one if not all of your .php files this could be coming from a base64 snippet in a file or in a template they added.
**Also in your browser, change your home page and make it https://www.google.com because its adding in the ?gws_rd=ssl in the url since your browser has the old url saved as your home page setting, they've since made that page https versus the old url which was http.
***Last * else you might die from over-use LOL no but seriously, Google does not normally give out virus/infected warnings unless something is actually up so from me to you, please never assume its a false-alarm or false-positive - always confirm else anytime someone visits your site, its your site that's placing them at risk.

http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked
http://www.vbulletin.com/forum/blogs/michael-miller/3934768-recovering-a-hacked-vbulletin-site
http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info
This is not filestore however it shows an example of what might be added in .php files:
http://www.innovationbyinstinct.com/threads/342-White-Blank-pages-on-forum-and-admincp

***Last * else you might die from over-use LOL no but seriously, Google does not normally give out virus/infected warnings unless something is actually up so from me to you, please never assume its a false-alarm or false-positive - always confirm else anytime someone visits your site, its your site that's placing them at risk.That's why I've spent all day trying to figure this out - I didn't know WHAT to believe, especially since pretty much all the info I've been able to find is from 2013. And I REFUSE to ignore stuff like this.

Will this do anything to help our users who might have been affected? If NOT, what do you suggest?

That's why I've spent all day trying to figure this out - I didn't know WHAT to believe, especially since pretty much all the info I've been able to find is from 2013. And I REFUSE to ignore stuff like this.

Will this do anything to help our users who might have been affected? If NOT, what do you suggest?

It depends on what this ends up actually being, heck your pc could be infected it just depends. I'd certainly trace it down and ensure its clean above all else though, try what I mentioned above or rather the short version:

1) Replace all files with fresh files from a newly downloaded vbulletin.zip.
2) Change YUI setting.
3) Now check, fixed?

Edit: You can and probably should run a scan using whatever anti-virus or anti-thisORthat software you have protecting your pc, not sure what you're using but best to scan. *Don't install 2 to 3 of the same things i.e. don't install Norton and Avast or another anti-virus they will conflict. I'd run a scan with your anti-virus program then you can go further from there if you find or feel your pc is infected such as JRT.exe which is Junkware Removal Tool / Spybot Search & Destroy / HiJack This HOWEVER BEFORE WARNED some of these require an experienced user, they can and will allow you to delete pertinent REQUIRED files so don't do anything if you're not familiar with the programs OR if you're not going to take the time to read up on all of this before blindly cleaning something ok? :cool:.

<a href="http://www.eset.com/us/online-scanner" target="_blank">Best scanner around</a>

My problem now is that I don't have access to the server itself, just vB. So I'm passing this stuff up the line to actually get it done.

Thanks. I occasionally use every one of the tools you mention (and more) as cross-checks on my own machine. I'm NEARLY 100% sure I'm clean on my end.

I DO have multiple AV programs installed, but only 1 is active at a time - I don't trust ANY of them 100%. I've been de-gunking PC's for years - probably several hundred of them. And since I infected a customer's PC with Chernobyl way back when, I'm paranoid about keeping my own PC clean. I was running McAfee under Win95 at the time and it wouldn't auto-update for some reason. So I was manually updating daily. When I installed MS Plus, it was "nice" enough to sneak in a new copy of exactly the same version of McAfee that I was already running - but in a different directory. I was manually updating the copy I had installed and THOUGHT was running, not the one that actually WAS running. It's almost funny looking back on it, but it certainly wasn't funny then.

You need access, always best to have access.

I'm the new kid on the block, and basically a Windows guy to boot. I've been fiddling with microcomputers since I built my first computer in 1978 - a 6800CPU, 1K static RAM, 6-digit 7-segment display, 24-key HEX keypad, with 75 baud audio cassette "Mass Storage" - all programming in machine code. But for the last 25 years or so it's all been Windows. I'm afraid I have to bump it higher up the food chain.

P.S. I'm running that ESET online scanner right now. Want to bet on whether I'll have to "rescue" my IP & port scanners, remote control software, etc. AGAIN because they're detected as hacking tools?

I'm the new kid on the block, and basically a Windows guy to boot. I've been fiddling with microcomputers since I built my first computer in 1978 - a 6800CPU, 1K static RAM, 6-digit 7-segment display, 24-key HEX keypad, with 75 baud audio cassette "Mass Storage" - all programming in machine code. But for the last 25 years or so it's all been Windows. I'm afraid I have to bump it higher up the food chain.

P.S. I'm running that ESET online scanner right now. Want to bet on whether I'll have to "rescue" my IP & port scanners, remote control software, etc. AGAIN because they're detected as hacking tools?

Been using eset for over 10 years and have never got anything ever. It is the best around I done months of checking for the best and eset came up everytime

The LAST time I ever got infected was Chernobyl/CIH back around 98/99. But I've de-gunked infected computers that had current up-to-date versions of just about every AV program I've ever heard of. I don't remember ever having to disinfect one with ESET, though. So you may very well be right about it's being the best. Even so, I don't trust ANY of them 100%.

It took me 3 days to manually kill the first copy of one of those Fake AV/Security trojans I saw. When my son caught it, he must have been one of the very first victims. Absolutely NOTHING on Google when he asked me to fix his computer, but stuff started showing up later in the day. Nothing that helped kill it, but lots of complaints about it. No AV program could even detect it, let alone kill it. 3 alphabet soup processes all crosschecking each other - even in safe mode, started from odd places in the registry. And impossible to kill them all in task manager before the last one would start a couple more. I had to pull his HD and TRY to find them all, without a good way to search for alphabet soup. Miss one, stick his HD back in his machine, and they all came back. PITA!!!! About the time I finally killed it, the special-purpose tools started coming out from the AV companies.

We have the filestore issue on our forum, and have had for over 12 months, not good. VB support say they nothing about the hack. but have done loads of research and there are so many solutions, ive passed to our IT guy now.

is there a quick fix?

https://clients.urljet.com/knowledgebase/138/Fix-vBulletin-4xx-Filestore123-Hack.html
https://clients.urljet.com/knowledgebase/147/Fix-HOW-TO-FIX---Vbulletin-redirecting-to-filestore123com-version-2.html

Edit: I will add that, once done cleaning, making changes, don't forget to change your sites cookie prefix in the config.php file, that always helps. Also - Be sure to run a scan on your PC as well for viruses and malware, your regular anti-virus should work fine and I would install and run either Spybot Search and Destroy (some prefer MalwareBytes, I do not for a good reason I will not list) and for advanced users HiJack This is also a great program (DO NOT USE UNLESS YOU KNOW WHAT YOU'RE DOING! I CANNOT STRESS THIS ENOUGH WITH HIJACK THIS!!!!!!).

Those links should help sort you, there are others online as well including one forum who had a very detailed post on how to remove it but I can't locate it in my bookmarks (sorry! Need to clean them up lol).