I have a client running a remote desktop server as a non-dc system in their network. I noticed that an odd user showed up as a local (non-domain) user on the server. I was able to change the password and log in as that user. I found the attached program running. Obviously, it appears their system has been compromised and used to host this Storm program. I stopped the program via Task manager and then deleted the downloads that I found. I then changed the password and disabled the local user and insured that it was not part of the authorized RDS users. I've changed the domain admin's password and am having the users all change their's as well. What recommendations does the community have for me regarding next steps. Any input would be greatly appreciated.