It's also completely fucking ridiculous that we users are expected to have an anti-virus, but the webserver this website is hosted on doesn't even have one, what a joke. Since no admin or mod has considered messaging me for help on this issue, I will post it publically.
Back up the forum skin (only it's skin), back up the forum images (only the images). DO NOT BACKUP ANY .PHP FILES AS THEY MAY BE A SHELL (IE. Backdoor).
Back up the SQL database. Extract all backed up files to another machine, and run a virus scan on all files. Reformat the server this forum is hosted on, or atleast that partion if it's a VPS, reconfig the server (should be fast, it's just a simple webserver, I also recommend nginx or IIS if security is a concern, like here). Do a CLEAN install of the vbulletin (if the vbulletin is nulled/illegal, you can forget security, there is a reason people null/crack web software, and it's to have access to the websites using it (i.e hack them)). After you have done a clean install, replace the SQL database the clean install is using with the backup so it will restore all users, content, posts, ect. Then overwrite your images folder and replace the skin. Make sure a decent webserver anti-virus is installed such as Kaspersky Server, or if you are running a windows server, microsoft security essentials is just perfect.
Once all of this is complete, change SQL admin/db passwords, and then of course change them in the config.php of vbulletin. Next, make sure your read/write permissions are correct according to your web software (in this case, vbulletin). Make sure you are closing all ports as this site is only using port 80 to broadcast on, if you are secretly running an FTP server, make sure the password is complex enough so that a "hacker" will not gain access and upload a milicious file. Make sure anywhere a default password may of been used on your server that it is CHANGED (use capitals, lower case, letters, numbers AND special characters, you do NOT need to remember the password, simply paste it somewhere in a notepad file and write it down on a physical piece of paper -- to make it harder for hackers to brute force or use other means of getting in).
Add a cool-down to login attempts - meaning, make sure that if 3-4 invalid logins are made in let's say 5-10 minutes on the backend side (server/cpanel, ect) that the IP that made the invalid login attempts is blocked for atleast 15 minutes. Run a few scan tools such as acunetix or nexus on the webserver/site and make sure there are no vulnerabilities existing, such as sql injection, outdated software/os, windows updates, ect. And finally, add a connection limit such as 3-4 connections max PER IP. All of this will greatly reduce the surface area making it harder for hackers. The reason for deleting and doing a clean install is to remove any secondary backdoors the hacker may of left as the first one was discovered. Anyone who takes the time to hack a website will always leave a backdoor to get back in after being discovered, there is NO USE in removing the malicious code/file if you are going to use the same frame it was hacked on, don't be lazy - redo it.
People's credit card info, personal info, ect. are at risk and like I said the majority of people on this forum do use their credit cards to buy supplies/seeds online. Be smart about this, it's not something to be taken lightly. When people start noticing illegal changes on their account, new bank accounts being opened in their name/ssn, their paypals being hacked ect. and have to start making phone calls to these agencies to have their problems fixed it will be far too late. Snip it NOW