Thanks ozzy. I've already removed the only plugin I had and am going to be upgrading to the latest version of vB but wanted to clear the database of any infection first.

I tried your first command and got an error saying that DatabaseName.plugin didn't exist. I tried swapping "plugin" for the table name but that didn't work either. I got the same problem with the second command i.e. an error message saying that the table template doesn't exist.

I can download that table, edit it in Notepad++ and then upload it back to the database. Would that work?

--------------- Added [DATE]1379422949[/DATE] at [TIME]1379422949[/TIME] ---------------

Nope, that didn't work. I backed up the db, edited the datastore.MYD in Notepad++ and uploaded it and I was getting all kinds of SQL errors. I had to revert to a saved copy of the database.

You're running these queries from within phpmyadmin correct? "plugin" is the table name, don't change that ;) and do your tables use a prefix? If so add the prefix and then run example:


prefix_tablename

Also don't edit via notepad++ when you can edit via phpmyadmin, not all data is meant to nor can be edited that way.

Update: AdminCP > Maintenance > Repair Tables seems to have done it! :)

The table is now clean! :)

But, of course, the infection may exist in other tables so I would still be keen in running a search through the whole database for any malicious code.

To answer your question, yes, it's in phpmyadmin.

Ok then run the two queries in ozzy's post above to check, that's what those do i.e. they "Select" results from the tables in question IF any of the codes are present withing them such as %base64% see how in between the percentages it has base64 which is what you're specifically looking for they simply don't delete, you must do that manually (be forewarned though in rare cases some valid mods use base64 code so don't just go blindly deleting everything that comes up in results).

Also are you 100% sure that your files are clean? Make sure you download the same version of vBulletin from the members area, overwrite all vBulletin files AND while you are in there check the date on files the timestamps rather... any new files? Any recently modified files per the timestamps? If so overwrite those with clean files and/or delete.

That worked. :)

Ran both the queries. The first one came up clean. The template search came up with a few results in the form of :

There were some files with some dates that did not match the others. Particularly the htaccess ... and one or two new files - the typical ini.php used in this hack. Those were all deleted at the start. I will be upgrading to the latest version of vB which should overwrite all existing files.