http://www.blkviper.com/WIN2K/win2k.htm

Good about listing which services there are and whether you need them or not. Most of the calls to service are probably legit, not really sure why M$ does it that way, but it does do it alot. If you have any other spare machines around, you might could install a regular copy of win2k and use it as a baseline to compare with what you have...

There are also some tools available that will allow you to see what ports you have opened on your system, what process is using them, etc. Those can be helpful in detecting trojan's.
There are some somewhat helpful tools at :
www.incident-response.org/windows.htm


Now as to what originally happened, you mentioned you had netbios over tcp/ip turned on. Do you have your administrative shares and anonymous access restricted ? That would definitely be a way in...I am assuming you are using IIS as the web server...how much securing did you do ? Did you turn off index service, did you have all the latest patches, etc ?

Neb