sorry for not knowing a lot about NetBIOS... but couldn't you look to see what files have been modified recently (or modified within the time-frame of the attack)... You should also try to secure your shares a lil' more as well...

Hello all, this is going to be a basic primer on NetBIOS security. I won’t go to much into detail about the specifics of this protocol other than it runs on ports 137 thru 139, with the main server, if you will, on port 139. It is used mostly for inter/intra-office communications and file/print sharing as well as for home use for the same purposes...

continued on http://neworder.box.sk/newsread_print.php?newsid=1295