Link: http://vbadvice.blogspot.com/2008/12/yahoo-counter-starts-trojan.html

I found this excellent advice for the removal of the Yahoo! Counter starts' trojan from your database. This was a VBulletin user.

I found a relatively simple fix for the 'Yahoo! Counter starts' trojan that affects VBulletin and other forum software. Here's what I did:

I did a backup of the SQL database in VBulletin:
I went into the Admin Panel; clicked Maintenance, database backup.
At the bottom of that page, I went to the section that says
Backup database to a file on the server. Then I did the following:

1. made new directory within the /forum/ folder called /backup
2. made new directory worldwritable
chmod 777 backup
3. entered location for backupfile in Admin panel:
./backup/forumbackup-year-month-day.sql
4. Clicked save

Then I went into site by FTP and downloaded the SQL backup file,
and deleted the file from the site, and deleted the folder.

Then I searched the backed up SQL file for 'Yahoo! Counter' and found
two sections of code that had been inserted into the database by the trojan.

I found the code by doing a backup of the entire database with vBulletin,
then searching the SQL file generated by that back up.
Both sections of code have 'Yahoo! Counter' in them.

Then I logged into my website hosting company's control panel, and used
PHPmyadmin to go into the mySQL database (I have IXwebhosting), and
I edited the affected tables (the names of the tables were found from the
previous search of the backed up SQL file).

datastore options
[datastore is the name of a table in the database,
and options is a section within that table]

and likewise with:

setting description

The section of bad code in datastore begins with:

1108:\"\" />

and then continues on to include:

Yahoo! Counter starts

and then continues on to end with:

name=\"yahoo\" content=\"count\"

and the repaired code in 'datastore options' should include:

;s:11:\"description\";s:0:\"\";s:12:\"useforumjump\";i:1

The bad code had changed
;s:0:
to
;s:1108:
and then added the malicious code after the 1108. So after deleting the bad section of code, I made sure the repaired code had the zero and not the 1108

The section of bad code in 'setting description' was easier to fix.
This good code:

INSERT INTO setting VALUES('description', 'general', '',
'This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .',
'', '20', '0', '1', 'free', 'vbulletin', '', '0');

had been replaced by a long section of code that included the text:
Yahoo! Counter starts

I replaced that long section of code with the text:

This is a discussion forum powered by vBulletin. To find out about vBulletin, go to http://www.vbulletin.com/ .

This worked for me. I don't know if it will work for anyone else.
Proceed similarly at your own risk.
Good luck!
Posted by JT at 6:08 PM

Well first.. happy new year people. I just did a check up of my web sites, and all are still clean. Again, they have been clean since i started over with a new mysql database, a new set of files (all files, php and HTML)and changed my FTP passwords. If your reading this for the first time, check my earlier posts for info on how to clean up existing databases, and some other useful info. If i find out for sure how this junk got on our web servers in the first place ill pass that info on to you.