Wow, fellow employee got hacked just now!

We were talking up front and out of our peripheral vision, we noticed his mouse cursor move up to Internet Explorer and go to a lycos site with a bunch of executables on it. Apparently he accessed it via VNC viewer and the ip is coming from France. Some funny stuff he did included going to Google for "how to uninstall norton" and following through with the process, rofl. Pretty much my first experience with a real time hacker, so it's been pretty exciting this morning. I'll divulge more details as I recieve them.

 

Just curious, is there anything to really check for in this type of situation? As far as I can tell, the admin is just doing a general search for recently modified files, there was some kind of Kabvncsetup.rar file on the desktop that's gone now, other than that.. I think we're just reporting the ip address, but I'm really intrigued by this whole affair and would like to look into it myself since I'll have some time with it today.

 

First isolate that computer from the rest of your network (unplug from the LAN) or else it may spread to other computers.
Since you don't know yet the scope of the hack or how they got in, assume that the entire network has been hacked. Don't take chances.
Hacker may have gotten into router config as well.
Depends on how your LAN is setup.
Try to find where they got in and plug the hole.
Retrace steps, what were the last things the user of that computer did?
Any risky behavior? Tried a new screen saver off the internet?