Hi,
WE run a small network. We use an NT 4.0 PDC which serves as a file/print
server and we have an NT 4.0 BDC which also has Exchange 5.5 so is our mail
server.
We also have a Windows 2000 advanced server which is a stand alone acting as
a Application server.

Now what happened was somebody brought thier laptop in and connected to the
network. She probably hasn't had this laptop in the office for 2 months.

I guess from the subject you can guess-this laptop infected our servers and
any shared workstation with the Nimda virus. (Interestingly enough although
I had monitor incoming and outgoing files the antivirus only picked this up
with a manual scan.).

Basically it through files all over the place esp .eml.

I went to Symantec and downloaded and applied the fix, taking machines off
the network to avoid reinfection.

I noticed though that rather than adding guest to administrators an account
named backdoor was created. (I deleted this account).

So it appears the infection was caught rather quickly. However I am scared
to death that someone may be able to access our servers now. According to
Symantec this could have compromised my security because the system couldve
been accessed by an outside user and they couldve done many things including
Installing remote connectivity host software.

I rescanned all systems and they are coming up clean.

Please could someone give me advice on where I go from now (such as any
Audits to implement, Accounts to look for, processes running in the
background to look for, etc).

Do I have to reinstall the operating systems? I really hope there is a workaround from doing this.

Any advice would be so greatly appreciated.

Thanks,
Dani