TL;DR

I'm pretty sure our small network has been infected by some sort of worm/virus. It seems to only be afflicting our Windows XP machines, however. Windows 7 machines and Linux (well, yea) computers seem to be unaffected. Anti-virus scans are showing nothing, but our domain server has logged thousands of failed login attempts on various valid and invalid user accounts, particularly the administrator. How can I stop this unidentified worm from spreading?

Symptoms

A few of our Windows XP users have reported similar problems, although not entirely identical. They all experience random shutdowns/restarts that are software initiated. On one of the computers a dialog pops up with a countdown until system restart, apparently started by NT-AUTHORITY\SYSTEM and has to do with an RPC call. This dialog in particular is exactly the same as those described in articles detailing older RPC exploit worms.

When two of the computers rebooted, they came back up at the login prompt (they are domain computers) but the user name listed was 'admin', even though they hadn't logged in as admin.

On our Windows Server 2003 machine running the domain, I noticed several thousand login attempts from various sources. They tried all different login names including Administrator, admin, user, server, owner and others.

Some of the logs listed IPs, some didn't. Of the ones that did have source IP address (for the failed logins) two of them correspond to the two Windows XP machines experiencing reboots. Just yesterday I noticed a bunch of failed login attempts from an outside IP address. A traceroute showed that outside IP address to be from a Canadian ISP. We shouldn't have an connections from there, ever (we do have VPN users though). So I am still not sure whats going on with the login attempts coming from a foriegn IP.

It seems obvious that some sort of malware is on these computers, and part of what it does is try to enumerate passwords on domain accounts to gain access.

What I've Done So Far

After realizing what was happening, my first step was to make sure everyone was running up-to-date anti-virus and did a scan. Of the computers affected, one of them ha an expired anti-virus client, but the other two were current versions of Norton and full scans of both systems turned up nothing.

The server itself regularly runs up-to-date anti-virus, and has not shown any infections.

So 3/4 of the Windows NT based computers have up-to-date anti virus, but it hasn't detected anything. However I am convinced that something is going on, mainly evidenced by the thousands of failed login attempts for various accounts.

I also noticed that the root of our main file share had pretty open permissions, so I just restricted it to read+execute for normal users. The administrator has full access of course. I am also about to have the users update their passwords (to strong ones), and I am going to rename to Administrator on the server and change its password.

I already took of the machines off of the network, one is being replaced by a new one, but I know these things can spread through networks so I still need to get to the bottom of this.

Also, the server has a NAT/Firewall setup with only certain ports open. I have yet to full investigate some of the Windows related services with ports open, as I am from a Linux background.

Now what?

So all the modern and up-to-date anti-virus hasn't detected anything, but I am absolutely convinced these computers have some sort of virus. I base this on the random restarts/instability of the XP machines combined with the thousands of login attempts originating from these machines.

What I plan on doing is backing up user files on the affected machines, and then reinstalling windows and freshly formatting the drives. I also am taking a few measures to secure the common file shares that may have been used to spread to other machines.

Knowing all this, what can I do to ensure that this worm isn't somewhere else on the network, and how can I stop it from spreading?

I know this is a drawn out question, but I am out of my depths here and could use some pointers.

Thanks for looking!