I give support to a workgroup of 40 Windows XP computers and 5 servers (4 Windows Server 2003 and 1 Windows Server 2008). This is the second time that my ISP calls me and tells me that my IP is being used to attack a remote server.
Couple of months ago, I accessed one of my servers through remote desktop and I saw a Brute Force application trying to access someone else's Windows' server. I disabled Remote Desktop for that server since then.
All of these servers have Clam free antivirus software. All desktops have AVG or other free antivirus solution.
My question is: How can I identify which computer is the one who is performing the attack, what software would you recommend to get rid of any malware, and what else should I do?