Lawrence Abrams: In the discovery (diagnosis) phase, the first thing to do is freeze the laptop so the infection will not spread and data or evidence corruption and loss does not occur. In the event that the laptop needs to be admitted as evidence in court, you must perform the proper steps before analyzing any of the data on the hard drive.
Immediately unplug the ethernet cable and then power off the computer (do not shut it down). Then, using a byte-for-byte copy tool such as EnCase, FTK Imager, WinHex or the dd gui found on the Helix Linux CD, image your hard drive from the infected laptop to a spare laptop. Now that you have a forensically sound copy of the laptop, lock the original laptop away and do not turn it on again in case you need to use it as evidence in court.
Once the data has been moved to a spare laptop, the next step is to identify the infection. In the scenario described, I would first download Fport from Foundstone research tools and HijackThis to get an overview of what is running on the computer. Fport will identify the programs that are opening the IP ports and HijackThis will tell you how these programs are starting in Windows. Then with Netstat you can see if the computer is attempting to connect to other machines on the network and infect them.
Kevin Beaver: The odds are good that this user's computer has been hacked or infected with some type of malware.
Tony Bradley: The scenario does describe suspicious activity, but given only the information in the scenario, it is difficult to determine with any certainty if the activity is malicious or just a glitch of some sort.
Stage two: Immediate actions
About the experts: Expert bios are available on the scenario page.