firstly I appreciate the time people take out here to help others so thanks a lot in advance. I am also quite happy to consider paying so if someone is able to recommend a good company/individual to help with this I'd be open to that also.
I look after a Linux based server with a samba share that is used by a small office (three users) and is accessed by 2 windows 7 machines, 2 old windows XP machines riddled with malware and a Windows "server" that is just running XP Pro but is clean. The 2 windows 7 machines are pronounced clean my MS SE also. (Its actually my dad's office... so my backup plan was a bit lax unfortunately and had a bug from the last release )
At the end of last week some the users reported Excel not being able to open some files on the samba share, by the time I worked out they are getting encrypted and pulled all the machines off the network most of the share had been affected. The pattern seems similar to CryptoLocker in that there were .exe files in the root with the same names as the directories and I also found porn.exe, sexy.exe and x.mpeg in the root of the share.
After verifying the windows "server" and windows 7 machines are clean (and I manually checked the registry also by searching for "CryptoLocker" and looking in HKCU\Software" to make sure its not on those machines) those have been let back on the network. The two other XP machines are still quarantined and seem riddled with various items of malware. I deliberately haven't run a scan yet to clean them. However neither of these machines have cryptolocker on them either (checked registry and AppData\ for the .exe pattern filename).
So clearly something has encrypted the data on the share but I no longer think that it is CryptoLocker which makes me think it may be possible to recover the data if its a weak encryption.... but I guess I need to identify the virus first?
In terms of remote access (in case its not a virus inside the network) some of the machines have LogMeIn and TeamViewer installed that people use to work remotely (against advice because...) and a Cicso RV042 VPN router running IPSec VPN. The windows "server" has RDP enabled. There is no port forwarding so you have to VPN into the network first before accessing any internal resources. Not sure if any of that could have led to an attack vector.
So far I have quarantined the two XP workstations and cleaned the share (manually removed all .exe files and ran MS SE on it). I have a snapshot of the share prior to cleaning it.
Thanks again for any advice or tips on where to look next.