I am writing a short tip and I wanted to get some more diverse opinion and feedback. Here is the scenario I am basing it on:

SCENARIO: "I'm an IT administrator with a little over 500 end users, running Windows 2000 and XP. One of our users is experiencing a problem with her Internet connection suddenly dropping for no apparent reason.

When she restarts her computer, everything works fine for awhile, but then the connection drops again. The funny thing is, she's noticed that her AOL Instant Messenger service still works even when she can't access her e-mail. We've already run Netstat and noticed that more unknown open connections are being used to certain ports. This particular user has a laptop and works from home frequently, so we're not sure all updates have been installed. Has her computer been hacked?"
Based on that scenario, I want to address the following:

1. Diagnosis -- Given the info in the scenario, has this person been hacked or not?

2. Initial response period -- What can the IT administrator do in the first 24 hours to contain the extent of the damage?

3. The road to recovery -- After the first critical 24-hour window passes, what actions can the IT administrator take to start getting back on track?

4. Preventative steps -- What steps can the IT administrator take to prevent being hacked in the future?
I know the scenario is a little vague. That is part of the point. Anyone interested in providing your feedback of diagnosis and remediation based on this scenario?