It sounds as if you have a juicy technical problem you want to solve, but the user really needs to have a safe laptop she can use without a rootkit on board.
Your simplest and very best solution is to reformat and reinstall the OS and other apps on her laptop, update her AV and send her back to work. There really is NO reliable way to remove a rootkit, and you can never really trust that machine on your network again. So bite the bullet and clean the hard drive.
Now I can also see that as a true geek, you want to know the why and how of it. So clone a copy of her hard drive, before you reformat and drop it into a VMWare or other virtual sandbox so that you can take it apart without risking further infection or loss of her data to some unknown party. Have fun!
Or if you used Applicaiton Whitelisting from day one. you would have never gotten this rootkit or any other malware. www.coretrace.com