Before you try scrubbing your server again I would recommend throughly checking your workstations.
Nimda is not a server-only worm like some of it's predecessors, which took advantage of the same IIS vulnerabilities. There is a potent workstation component that spreads via email, network shares and infected web sites.
If you have an infected desktop that accesses your server it could be dropping and/or modifying files on your server.
here Network associates blurb on it:
Office of the Controller
Michigan State University
146 Administration Building
East Lansing, MI 48824
Ph. (517) 353-4443
Fx. (517) 353-1046