Question number one (the short one): could constant network usage from vbc.exe (as seen from Process Explorer) be an indication of general nefariousness?
Question number two (the long one): I am currently working on a computer for a customer who, apparently, was actively hacked. Her grandson plays an MMO (Play Wizard101, but maybe another one, too; it's too late right now to call her and ask her which). She used her Paypal account to get him full access. While he was playing a screen popped up saying something like: "I've hacked your mom's Paypal account; send $20." He ran to get her. She closed the window. Then another screen popped up with, according to her, a blue "i" information icon, that said something like: "I'm serious about this. You can pay $20 or $1,500 dollars. Your choice." Oh, and it, you know, displayed her actual Paypal password on her screen. She immediately Googled for a Paypal telephone number, called them, and had them temporarily shut her account down, but not before they had her try to change her password. When she tried, something kept preventing her (a window pop-up or something? I didn't quite get that part). Then she had Norton remote into her computer, but every time they tried to do something, her computer would spontaneously shut down. She said they told her that someone had "hacked her IP address." ... :/ Hey, I'm just telling you what they said.
So she called me. I told her to use another computer to change her password for every important site to something good--at least 9 characters, special characters/numbers/upper- and lower-case, etc--and to make them all different. If someone remoted her PC then it would be a piece of cake to look up the saved Firefox passwords (a weakness of Firefox that I have never thought about), and I am assuming there are tools to retrieve those from IE, as well. She was able to change her Paypal password, so at least she's out of that water.
So now it's in my "shop" (bedroom with a table on top of a coffee table so's I can work standing up). First I ran an Avira bootable CD. Then I logged into her XP and ran eScan Toolkit. That was when the first weird thing happened. After the scan ran, the results log should have stayed on-screen, but by the time I got around to looking at it, it was gone and I was at the initial program window. I then opened Task Manager to look at the network usage: a constant 10-15 kbps. I then opened Autoruns and unticked some things. Then I opened Process Explorer, and that's when I saw that vbc.exe was using the network. I did not kill it because Combofix was next and I wanted it to remain in memory because I figured that that was a place Combofix would definitely check, and I wanted CF to see it. Ran Combofix, updated. "Combofix shall now restart." Pressed enter. Nothing. Tried running Combofix again... nothing. Well, it had already updated, so let's go to network connections and disable the NIC. Could not disable it, so I tried to go to device manager... and the computer shut itself down (nicely; as in, it closed all the programs and went through the "Logging Off," "Shutting Down," etc.). Before I turned it back on I unplugged the network cable (should have done that instead of disabling NIC, don't know what I was thinking). Then I used Process Explorer to kill vbc.exe.
Ran Combofix again, and the first thing it found was Rootkit.ZeroAccess (or something like that); the message said it had inserted itself into the tcp/ip stack, and I had to reboot to get rid of it. After that it found some other things. I can post the log if you want.
So what I need is to be as sure as possible that nothing else like this remains on her computer. If someone with good reputation here on bleepingcomputer tells me that I need to do a system recovery on her machine, then I think she would be amenable, but if someone thinks they can get me going without that, that would likely be preferable.
Thanks in advance. You all are great. The tools on this site are awesome (I've used Combofix, rkill, and unhide). I'd recommend you to anyone. I'd probably be more of a contributor but am sooo busy; I work an 8-5 job and do the computer work after hours, on weekends, and on holidays. I've usually taken care of malware by myself (or by searching forums if nothing fixes the symptoms) but this time I'm going to the experts directly.