Hacker on my system from foreign domain

I currently have a network running in 14 different geographic locations across 3 states.  My corporate network is in a frame-relay cloud, all except for 2 of the locations.  One of the locations is hooked to DSL and they work via a citrix connection over the internet.  One of the end users was complaining that they couldn't log in with usual name and password.  Even the admin password wouldn't work to get in the system.  After using a workaround to get into the system, one of my staff actually viewed the hacker inside of the computer creating an executable and running a password hacking program.  The hacker would go to an ftp site with a .ru extension.  (Russia?)  I believe that was on the 62.0.0.0 network block.  Anyway, he would go to the system 32 folder and create his own folder named "mui".  Inside this folder would be the executable of the program he downloaded from the ftp site.  He would rename the executable "svchost".  Now the program was running as a service.  I don't think he knew we were watching at first, but if we could see him through vnc and the end user couldn't see a thing, doesn't he have to be getting in through a hacked vnc password?  If it were remote desktop, I wouldn't be able to see his session.  These guys always seem to be one step ahead and I was wondering what the experts would recommend as the best training ideas for my staff and the best preventive measures to keep anything like this from happening again?  Sorry for the long winded explanation...