You should look into the access.log file of Apache and FTP log file, maybe that will give you some more information.
Do you use shared hosting by the way or do you have your own VPS/dedicated server?

Not that I'm an expert on the subject, but the only thing I can think of other than your host server having been hacked is that they could have added a plugin. Seems unlikely though.

You said you scanned for non vbulletin software, how did you do that?

Have you deleted the install directory?

Shared hosting. Last time I went in, when this first happened, all my logs were deleted...

--------------- Added [DATE]1421778601[/DATE] at [TIME]1421778601[/TIME] ---------------

Yes.

Could be a hidden file that hackers put in place sometimes and very hard to find

In the admincp, looking for suspicious files... unless that is not a good indicator of looking for non vb files...

When it first happened, I went into FTP and looked at all the files. Especially looking for modification dates, in the last day or so. Deleted all the files that were added on the day of the initial hack, and also uploaded clean files like the index file. Would this be a good indicator for looking at suspect files - by looking at the DAY they were uploaded or altered?

I hate to be paranoid, but could this be something on my home computer that malware software is not finding? I have firewalls, etc. so I don't know how they are getting new PW information.

It looks like these +++++++s are an Egyptian hacker group...

I think that's OK, although I'm not sure offhand if it will find hidden files. But if you have any web directories outside the vbulletin directory then you'd have to check there too, and you want to make sure you're seeing hidden files (I don't know if your ftp shows you by default or not).

Ok, this iw what I am wondering. So it is possible to physically hide a file from physical view, sort of like Windows does? Because I would think if they buried code in a vbulletin required file, the date stamp should have changed for its modification, which I would have seen in FTP, correct?

Since the database has not been screwed with, I assume they did not get access to that, but would be easily available considering the access info would be in a file....

I know this won't be helpful but...

$5 will get you $10 that your host is GoDaddy.

I've found that a good majority of hacked sites are hosted on GoDaddy.

You would be correct. I have a few months left on hosting and will be leaving to another provider. Unless of course this goes $hit south, in which case I will be punching out sooner than later...

So, are you indicating that the issue is on their end, or my end? Like I said, I have no idea how my original account was hacked, too much info they would have had to have had. Now this time around could be explained by something still on the server that I did not clean up, or perhaps, they are having issues??? Thoughts?