Trojan warnings when clicking on Google search results into our MB.
 

I can't find any CURRENT info about this here, or on the .com support forum - it all seems to be from about 2013. As far as I can tell, the posts Google finds that cause the problem are all old ones.

This search: https://www.google.com/?gws_rd=ssl#q...ial+clock+1729 returns the following result - (slightly obscured by me in this post in case it actually IS dangerous)

ZZZ.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&u act=8&ved=0CB4QFjAA&url=http%3A%2F%2Fmb.nawcc.org% 2Fshowthread.php%3F103674-Colonial-Grandmother-model-1729&ei=qY3uVNGkHYWryASX7YLwDA&usg=AFQjCNEZafzDDfR C-ef5Tq5t80JbXe680Q

I'm finding so much conflicting information I don't know what to believe - "Your site IS infected" or "It's a vB problem" or "It's Google's problem" or "It's the user's Windows computer that's infected"

I HAVE scanned our site using various online tools, and everything I've done leads me to believe that we're clean. And I've scanned my Windows machine using several different AV tools with nothing found.

Sometimes there are 3rd party links hidden in a post anywhere on a site or forum content and you get this ... a simple image that is being served from somewhere else besides your site can make "Avast" spit that out ... I have avast and it does that all time time ...now not on our site but other sides and very rarely on ours ... If I see this pop up on our site I stay on that page and look at all the content on that page when Avast spit that out ...

Be glad that Avast actually catches all that ... and I wouldn't worry about it that much either ... do you have a link to your site where I can go that might spit that out from time to time?

Not getting anything with the link

Me neither ... Like I said ..it could of been a link somewhere or even an image and Avast decided to spit out a false positive which is know to do quite often ... I wouldn't worry at all ...

I haven't been able to generate any AV hits using this direct link to the post: http://mb.nawcc.org/showthread.php?1...her-model-1729

And using Google's link, the behavior is so darn unpredictable I don't know what to think.
Caution: Here's the un-obscured link:
http://www.google.com/url?sa=t&rct=j...mSda8GPqcUCzFQ

But we're getting complaints from users, and one of the moderators reported the problem to me privately last week, with a screen shot identical to the one I posted here. The mod was using Avast, so I installed it and couldn't reproduce it last week, but I HAVE been able to intermittently reproduce it last night & today from the complaining user's link. I don't know what AV anyone else is using - they haven't replied to my question.

P.S. The screen shot I posted was from MY computer last night. And the AV hit was on my HOST computer's screen when I followed that Google link in my VIRTUAL XP. I disabled the Avast on the HOST, and the message showed up again from the VM's Avast.

I'm fairly sure our MB is NOT infected, but it might be difficult to convince our visitors of that.

- Upload 100% fresh files from a brand new vbulletin .zip (download the exact same version you're on now, once you fix the exploit/virus you can then upgrade but not before).
- Check to see if you're using a version that's still utilizing an outdated and prone to exploit swf file: http://www.vbulletin.com/forum/forum...ecommended-fix (if so then use this: https://vborg.vbsupport.ru/showthread.php?t=307008 )

It sounds like the filestore72 or 123 exploit from a while back, so basically you're only being redirected to malicious/porn/similar sites from the Google links correct?

- If no then its another exploit/virus.

- If yes upload fresh files like I mentioned above, then go to AdminCP > Server Settings and Optimization Options > User Remote YUI > *If that is set to google or yahoo or none change the setting to check, if changing to google or yahoo does not work try none and use local files (you just overwrote any bad files with fresh files remember) and no clear your sites cache, your browser cache, AND cookies - close your browser afterwords and DO NOT follow any bookmarks (delete those if you had them saved in browser and remake them)... now when you re-open your browser go to google and check the sub-links are they fixed?
-- If fixed now upgrade.
-- If not fixed then its more than likely not filestore72 or a variant.

*Also use suspect files in admincp > maintenance they could have dropped a shell script on your server, modified plugins and or edited one if not all of your .php files this could be coming from a base64 snippet in a file or in a template they added.
**Also in your browser, change your home page and make it https://www.google.com because its adding in the ?gws_rd=ssl in the url since your browser has the old url saved as your home page setting, they've since made that page https versus the old url which was http.
***Last * else you might die from over-use LOL no but seriously, Google does not normally give out virus/infected warnings unless something is actually up so from me to you, please never assume its a false-alarm or false-positive - always confirm else anytime someone visits your site, its your site that's placing them at risk.

http://www.vbulletin.com/forum/blogs...ve-been-hacked
http://www.vbulletin.com/forum/blogs...vbulletin-site
http://www.vbulletin.com/forum/forum...lestore72-info
This is not filestore however it shows an example of what might be added in .php files:
http://www.innovationbyinstinct.com/...um-and-admincp

That's why I've spent all day trying to figure this out - I didn't know WHAT to believe, especially since pretty much all the info I've been able to find is from 2013. And I REFUSE to ignore stuff like this.

Will this do anything to help our users who might have been affected? If NOT, what do you suggest?

It depends on what this ends up actually being, heck your pc could be infected it just depends. I'd certainly trace it down and ensure its clean above all else though, try what I mentioned above or rather the short version:

1) Replace all files with fresh files from a newly downloaded vbulletin.zip.
2) Change YUI setting.
3) Now check, fixed?

Edit: You can and probably should run a scan using whatever anti-virus or anti-thisORthat software you have protecting your pc, not sure what you're using but best to scan. *Don't install 2 to 3 of the same things i.e. don't install Norton and Avast or another anti-virus they will conflict. I'd run a scan with your anti-virus program then you can go further from there if you find or feel your pc is infected such as JRT.exe which is Junkware Removal Tool / Spybot Search & Destroy / HiJack This HOWEVER BEFORE WARNED some of these require an experienced user, they can and will allow you to delete pertinent REQUIRED files so don't do anything if you're not familiar with the programs OR if you're not going to take the time to read up on all of this before blindly cleaning something ok? :cool:.

<a href="http://www.eset.com/us/online-scanner" target="_blank">Best scanner around</a>

My problem now is that I don't have access to the server itself, just vB. So I'm passing this stuff up the line to actually get it done.

Thanks. I occasionally use every one of the tools you mention (and more) as cross-checks on my own machine. I'm NEARLY 100% sure I'm clean on my end.

I DO have multiple AV programs installed, but only 1 is active at a time - I don't trust ANY of them 100%. I've been de-gunking PC's for years - probably several hundred of them. And since I infected a customer's PC with Chernobyl way back when, I'm paranoid about keeping my own PC clean. I was running McAfee under Win95 at the time and it wouldn't auto-update for some reason. So I was manually updating daily. When I installed MS Plus, it was "nice" enough to sneak in a new copy of exactly the same version of McAfee that I was already running - but in a different directory. I was manually updating the copy I had installed and THOUGHT was running, not the one that actually WAS running. It's almost funny looking back on it, but it certainly wasn't funny then.