In the first place, I would try to determine how and where the attacks are coming from. Especially how the attackers got into your network. As long as this is not known, it makes no sense to try to stop the attack, because the attack can be started again at any time. Start insolating the client systems and try to clean them up. For example, use a boot CD to perform the scan independently of the operating system.
There are so many steps that need to be taken, unfortunately it is not possible to list everything here. Good luck!