my guess would be that it either uses named pipes to give an accout someone has control of admin rights or it is used to pipe commands to be run threw a device that already runs as admin/system. either way the **** has already hit the fan.

you can only guess at what they have done if they got admin. but this vulnerability was fixed, i believe in sp2/3. if the service packs have been keep up with and this happened a long time ago the fixs wouldn't close any back doors that were created.

if the file was recently put on then my guess would be it was pretty much usless to them but the fact remains that access was obtained.

theirs so many things that could have been done its not worth chanceing it. swipe it clean, thats the only safe path. getting educated is never easy