It's a shame she has to go through all that.
(And yes - she already had AVG (replacing Norton earlier, at my suggestion via IWE lore), Spy-Bot SD, Ad-A - in fact it was the resident SpyBot ap she also activated - which first flagged TILT. Linksys router + ZA in operation; so this bug came from her own clicky-clicky, as she realizes.)
She is determined to find the pedigree of George, her ID of the keeper of root - or by whatever sinister facsimile. Is learning about some of the tools mentioned in these parts, the logic of step-by-step -- for the bugs that reinstall seconds after erasure. Appreciates why some of these need HD access via some Non-toy OS for cleansing ie. why you cannot let Doze run at all, under some conditions of auto-destruct-in-progress. (That's a lot to grok, for a non-tech, I'd say.)
I'm sure Andrew could recount his latest [link|http://z.iwethey.org/forums/render/content/show?contentid=195325|horror stories] - they're always interesting. Most likely her infection is something reasonably common but something that may play with the registry - making it non-trivial to remove.
My guess is she needs to try disinfecting the machine by booting from a [link|http://www.oreillynet.com/sysadmin/blog/2004/06/scanning_for_viruses_with_knop.html|live CD of some sort] - e.g., [link|http://www.inside-security.de/insert_en.html|INSERT] and [link|http://www.heise.de/newsticker/meldung/65553|Knoppicilin] (auf Deutsch).
If AVG can't get rid of it, maybe try [link|http://www.f-prot.com/products/corporate_users/win/|F-Prot] (scroll down for the trial version), and maybe [link|http://www.pctools.com/spyware-doctor/|Spyware Doctor] from a place close to Static's heart.
I've been lucky in that I've not had to go through a deep disinfection, so I can't tell you how well any of those tools work.
HTH a bit. Best of luck to her!
Cheers,
Scott.