Hey guys.
I have run ClamAV and I keep finding php scripts that are being put into my web server.
Here is an example of the script:
http://puu.sh/pibQg/5e44f81d25.png
It displays all of the files on the webserver, and all of the php coding including mysql passwords.
I have monitored FTP, and they are not getting through with that. I have deleted a script 2 days ago, and today these appeared again. I don't know how they are getting access to my server and downloading. They appear in different directories on the webserver each time. Not just the same one. It could be in the IPB Forum directory or a completely different sub domain directory.
Also, I checked 2 days ago, and I saw 2 user accounts in windows with admin permissions, named "admins" and "guest2". On the desktop for this user, there was some viruses. I deleted them and they have not reappeared.
There is no way they can get my root password for remote desktop.
Please help