Users started complaining about slow network speed so I fired up Wireshark. Did some checking and found many PCs sending packets similar to the following (screenshot):
I blurred out the text for the username, computer name and domain name (since it matches the internet domain name). Computers are spamming the Active Directory servers trying to brute force hack passwords. It will start with Administrator and go down the list of users in alphabetical order. Physically going to the PC finds no one anywhere near it and this behavior is spread across the network so it appears to be a virus of some sort. Scanning computers which have been caught spamming the server with Malwarebytes, Super Antispyware and BitDefender (this is the antivirus the client has) yields no results.
This is an enterprise network with about 2500 PCs so doing a rebuild is not a favorable option. My next step is to contact BitDefender to see what help they can provide.
Has anybody seen anything like this or have any ideas what it could possibly be?
Sorry, I've no idea what this is, however, you have more important issues right now.
How many machines are doing this? Have you disconnected them all from the network? (and if not, why not?)
Can you find an evidence of any domain accounts being compromised (especially domain admin accounts)
I can understand you not wanting to build your desktops again, but unless you do, you can't be sure you'll clean the machines.
First steps:
Next you need to perform some forensics on your known bad machines to try and trace what has happened. Once you know this, you stand a better chance of knowing what the scope of this attack is. Use root kit revealer, perhaps even image the hard disk before you destroy any evidence. Linux Live CDs with NTFS support can be very useful here, as they should allow you to find what a root kit could be hiding.
Things to consider:
Edit: Trying to give more info is difficult, as it really depends upon what you find, but having been in a similar situation several years ago, you really need to distrust everything, especially machines and accounts that you know to be compromised.
It could be anything from L0phtCrack to THC-Hydra or even a custom-coded application, though your AV solution should have picked up the well-known apps.
At this point, you need to identify all the systems infected, quarantine them (vlan, etc), and contain and eradicate the malware.
Have you contacted your I.T. Security team yet?
Finally, I understand you not wanting to rebuild, but at this point, (with the little data you have given), I would say that the risk warrants rebuilds.
-Josh
Try running a different capture program to make sure the results confirm what Wireshark is seeing. Wireshark has had problems in the past decoding Kerberos traffic. Make sure what you're seeing is not a red herring.
Are you seeing any other "anomolies" in the capture?