Wow, fun week for me to be gone. vg12, PM me on this if you need more help. I've spent more time in this arena than I care to remember. In the short run, the advice you've people have posted here is a very good start. The basic logic is that if the availability of those systems are more important to your business than tracking down someone to punish, then nuke the hard drive and drop a fresh OS onto the system. Be very, very careful using backups to reinstall unless you can pinpoint when you were infected and can get a backup from before that point. Also, don't trust the data on your system. Just because you put a shiny new OS onto the box doesn't mean you are safe to copy data files or third party apps from the infected system. I've seen people do that a million times. When you are trying to figure out where this stuff came from, don't forget to look outside the infected system. Check firewall and router logs that would show traffic to that box. More often than not that will give you hints as to how they got onto your system, and they are more trustworthy than the logs on the compromised system. Your first issue should be to identify the infection source, and it is usually going to fall into 3 areas: infected file executed on the system, a host based attack aimed at the OS, or an application level attack. If it was an infected file of some type, you are going to have to try and find evidence in the system logs. You might also find evidence in your router or firewall logs of the tools trying to "call home" after the infection occurred. If it was a host based attack your efforts will fall evenly between system and network logs. This is where you'll see someone or something launching attacks against specific to a certain OS. Application level attacks are similar in that they might go to certain ports, but the big focus here should be anything over your http ports (80, 8080, etc). This is where you will usually see people throwing "the kitchen sink" at the web applications. It is pretty common to see hundreds of attacks within a couple of minutes, usually SQL/CRLS/LDAP/etc injections and cross site scripting as well as IIS and Apache attacks. All that being said, the safest thing to do is nuke that hard drive, install a new OS, and rebuild your data.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER