Its funny when the command was being typed in.... And I caught it by accident.. I was vnc'd in checking an e-mail issue my user was having...
Well, it seems like you weren't alone.
While it's possible there's a backdoor or remote tool on your computer I don't see this is the most likely problem. Still, you should run the scans I mentioned above to check this.
More likely, maybe, are one of the following (some of these assume you're in a business environment):
-- User ID and password(s) were stolen by an attacker before you patched RealVNC or through other means such as a user leaving a list of passwords in plain view on a desk
-- Access was gained through an active session that was left unattended, say while an employee working from home took a break from the computer (I don't mean to speak badly of people but the reality is the attack came from somewhere)
-- An ex-employee's credentials have not been revoked
-- An active employee who feels he has an axe to grind is trying to wreak a little havoc
-- There could be an insecure wireless device in the network, possibly in an employee's home.
-- A new, unidentified, RealVNC vulnerability exists (not too likely; just looking at the possibilities)
Because you had the unique experience of watching the attack in progress you do have a tool normally not available. The IP address you noted above is, potentially, that of the attacker. It resolves to a cable provider in the Dakotas of the United States named Midcontinent Communications. Here's a link to the home page
http://www.midcocomm.com/In addition to contacting them to report the incident you should require all valid users to change their IDs and passwords, and review all credentials to make sure there are none still valid for people who might have left the company.
Regarding the firewall, the one native to Windows and your appliance provide inbound protection but not outbound. There are many free ones available for home use but you might violate the terms of the license with these in your environment. In your situation, however, I would probably test one or two of the free ones for compatability with an intent to purchase. This might help get things under control and I'm sure for short term evaluation purposes the vendor would understand.
You also need to search you computer for the presence of a file name i. Do the search with i enclosed in quotes ("i") - otherwise you will get a list of every file containing i in the name. The reason for this search is the method the attacker was using. If I'm reading the commands correctly the attacker was writing a text file named i to contain batched ftp commands. An ftp session would then have been opened and 886.exe would be transferred. After running 886.exe, i would have been deleted and the command window would have closed. Since you interupted this process there is a possibility that i exists on your hard drive with some or all of the ftp commands. In this situation I would archive i to a cd in case you need documentation of the attack and delete it form the hard drive.
Please post the results of the scans when you get a chance.
EDIT: If you do find a file named i you can safely read its contents before deleting it in a command window with the command "type i" leaving off the quotes.