Thanks for all the help Wayne.

Wayne Luke I have done all of this and then suddenly today the site started to get populated again with new index.php and a new .ico-file. I have also changed passwords for the db-user that is used in the config.php. Is there a chance that there could be some things in the database? And in that case, how can I locate that?

Exactly the same happened to me.

Then you haven't completely checked your site. I can't provide instructions for what occurs outside the vBulletin directory. I have absolutely no information on how your sites are configured beyond what put into your posts on this site. 99% of all topics don't even give the basic information to resolve issues.

You will need to check files outside of the vBulletin Directory as well. I figured it was implied for anyone who has run a website for any period of time to check this.

You have a lot of different levels on your customers. It does not help the situation to tell me what you implied. It would be much better if you spelled it out.
I have been running my site for twelve years and am doing my best. Both solving the problem and giving you the information I think you need. I am paying for ticket support but think it is better to ask questions here since it will help other people as well, even if it makes me look stupid by asking things that is obvious for you. So please help us instead of telling us that we are stupid (as you implied).

About this issue I have so before the malware popped up again I have:
- examined php-files that was created by the malware and figured out where they placed the ico-file that was a Kryptiks malware.
- I renamed the .ico-file so they could not call it anymore
- I ftp-ed all files from the server to my computer where I used notepad++ to look through all files for a part of the string that I found in the first index.php that I knew they had created.
- I I deleted all index.php that they created.
- I erased the code that they had injected in a couple of PHP-files
- I followed the instructions you gave in another post in this topic.

So, what more information do you need and what else do you think I should have done?

If you had uploaded a new copy of vBulletin 5.5.4 Patch Level 1 and deleted the old directory, you wouldn't have had to look through files. Did you look through every directory? My guess there is some file 5 or 6 levels deep in the /js/ckeditor directory that was missed. Or it could be in an attachment directory deep in the system if you store your attachments in the file system and they are located within the public_html directory.

In order for us to look closer, please open a Support Ticket. Reference this topic and provide SFTP, cPanel, and vBulletin AdminCP login information.

Yes I looked through the entire system, including everything that was not vBulletin. I also removed the ico-file that the php-scripts pointed to. And still it showed up again. I am in the middle of making a complete new install together with my host so I will go through a support ticket if that does not help.

Wayne, can I install the latest 5.5.4 version if 5.5.2 was installed during the hack? Or first I have to put 5.5.2, and then upgrade to 5.5.4?

You should upload the vBulletin 5.5.4 Patch Level 1 files in a new directory and then run upgrade.php against your database. The old directory should be removed from the web root.