Server seems like modified a lot. I cannot start/run/do many tasks like Task Manager, Server Backup, commandline password change, etc.
User names, full names don't match with their descriptions. Now Administrator may not be the administrator.
I cannot enable/disable accounts.
Server is being used as bruteforce attacker: DuBrute was running.
I tried to reboot, SAM init error occured & BSOD appeared. I could recover SAM file from older copy.
Now I cannot do many things. It looks like the server has been hacked a week ago - file creation dates say-
I found a few registry files like this one: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin
Can I clear that mess or I have to restore from backup?
It would probably be best to restore from backup provided you can do a full restore including all the system state. It would actually be better to rebuild it completely as a new system and restore the data you need. You would really need to find out how your system was compromised in order to prevent it from happening again or to other systems in your network.
Restore from backup. If this is an Domain Controller you need to scan your other DCs and may want to force a password change on all accounts.