Yes, the upgrade will overwrite the default vB PHP files, and your permissions should be preserved and shouldn't be involved in any exploit.

Thanks again.

Assuming nothing goes awry, how long should a typical update take to complete?

It depends on the size of your board, but it shouldn't take more than an hour, including making your backups. :)

If I recall correctly this infection, is VERY sneaky because it hides itself if your computer has followed the redirection. I THINK it will only show itself to your computer once per day. If you've seen it and done something that you THINK fixed it, following the infected link a second time will LOOK like it's fixed - because it won't redirect a second time. And tomorrow you might see it again - ONCE.

A full scan of Malwarebytes on your own computer is also a smart thing to consider. https://www.malwarebytes.com/
There is lots of different malware out there that steals your locally saved FTP logins.

One main question I have is:

- After you deleted all plugins, did you replace all your files with fresh files?

Let's say you're running vBulletin 4.2.2 - You will need to download a 100% fresh and new copy of the 4.2.2.zip from https://members.vbulletin.com and ensure you overwrite all files with the new files (to ensure any old hacked files are now replaced AND clean).

Note to everyone else: If you want to upgrade to 4.2.3 after fixing 4.2.2 then that is okay, but always be aware that you should replace all the files, with the SAME EXACT version files from a fresh .zip you download from vBulletin.com and FIX the site first THEN you can upgrade if you wish - DO NOT ASSUME that upgrading will simply fix your hacked site, in super duper rare occasions IF it was a simple file edit then it will but 99% of the time it's not that simple.

d

Yes first i deleted plugins and then i upgraded to latest version. But it did not solve the problem.

Hey guys,

Yeah, google thinks we're still hacked, probably with the original issue (the occasional browser redirect; that password-logging plugin hasn't reinstalled itself yet, at least). I've been following google's advice, but curl is no help. Inspecting the front page, there are a few javascript codes I don't recognize. One might be google analytics? The others, I'm not sure.

For your consideration:

<script async="" src="https://www.google-analytics.com/analytics.js"></script>
<script type="text/javascript">
<!--
if (typeof YAHOO === 'undefined') // Load ALL YUI Local
{
document.write('<script type="text/javascript" src="clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=420"><\/script>');
document.write('<script type="text/javascript" src="clientscript/yui/connection/connection-min.js?v=420"><\/script>');
var yuipath = 'clientscript/yui';
var yuicombopath = '';
var remoteyui = false;
}
else // Load Rest of YUI remotely (where possible)
{
var yuipath = 'clientscript/yui';
var yuicombopath = '';
var remoteyui = true;
if (!yuicombopath)
{
document.write('<script type="text/javascript" src="clientscript/yui/connection/connection-min.js"><\/script>');
}
}
var SESSIONURL = "";
var SECURITYTOKEN = "guest";
var IMGDIR_MISC = "images/misc";
var IMGDIR_BUTTON = "images/buttons";
var vb_disable_ajax = parseInt("0", 10);
var SIMPLEVERSION = "420";
var BBURL = "http://privateerpressforums.com";
var LOGGEDIN = 0 > 0 ? true : false;
var THIS_SCRIPT = "index";
var RELPATH = "forum.php";
var PATHS = {
forum : "",
cms : "",
blog : ""
};
var AJAXBASEURL = "http://privateerpressforums.com/";
// -->
</script>

<script type="text/javascript" src="clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v=420"></script>
<style>@media print {#ghostery-purple-box {display:none !important}}</style>
<script type="text/javascript" src="clientscript/yui/connection/connection-min.js?v=420"></script>
<script type="text/javascript" src="http://privateerpressforums.com/clientscript/vbulletin-core.js?v=420"></script>
<link rel="stylesheet" type="text/css" href="clientscript/vbulletin_css/style00009l/main-rollup.css?d=1479505047">

---

Since some of those plugins were hung on 'ajax', this seems promising. Any idea what 'Yui' is?

Thanks!

--------------- Added [DATE]1480440255[/DATE] at [TIME]1480440255[/TIME] ---------------

Also, per Superman's comment: I would very much like to download and rewrite my installation with a fresh copy my current version (4.2.0, patch 3) before upgrading to 4.2.3, but problematically, only 4.2.0 patch 4 is available for download off the official site. Any suggestions?

Thanks!

yui is Yahoo User Interface if I recall correctly. You can overwrite it with the higher patch version just fine, patches simply overwrite files that had a bug or exploit and I believe never requires additional installation.

Not sure why you would bother, but just use the Patch 4 files.

You would be better off just uploading the 4.2.3 files and upgrading.