Thanks very much for the info. It will help me to make sure the other servers are in good shape. I have been running some tools to check them out (Stat analyzer, port scanning, etc).

Do you know of a forensics tool that can be used to locate inappropriate files on the machine? (like coroner's toolkit on unix systems).

The network connection on the machine is disabled, and the machine is not needed. I'm mostly interested in the investigation of the incident as a means of learning more about Windows security.

Just a few weeks ago, I attended a SANS "Securing Windows 2000" seminar, so I am getting some practice on the other machines.