Thanks Peter,
The subscriber/user didn't have access to SSH , so should I be alright then?
I found trojans on tmp files (on root folder and var/tmp), however I cannot disable the exec permissions as I couldn't login to the Plesk webpage.
At the moment I removed all files from the main domain...