Which variant?

Precisely what did AVG report?
"apparently successfully" in the sense that the installation did not throw
up any errors, etc, or "apparently successfully" in the sense of "that after
rebooting the files on the machine match those listed in the file manifest
mentioned in the KnowledgeBase article associated with the MS03-026 patch"

http://support.microsoft.com?kbid=823980

??

Reports from several corporate sources suggest that up to 50% of MS03-026
installations "fail quietly" -- that is, the installer runs to completion
without warning of any errors, adds the Add/Remove entry for the patch, adds
the "the 823980 patch installer has run on this machine" registry value,
etc, etc, etc...
This probably means that the machine is still vulnerable and AVG is
detecting the worm's .EXE after it is written to the disk. So long as AVG
is set to deny access (or "stronger") as its "disinfection" action the worm
can't actually be activated.
No.

The virus is coming in over her Internet conenction _or_ possibly she has
XP and Windows itself is "helpfully" restoring the missing file from the
System Restore _or_ AVG is detecting an archived copy of the virus Windows
"helpfully" stashed in System Restore when the virus first infected.
Dunno.

You supplied delightfully few useful details -- certainly too few to answer
questions of this nature with any surety (though if it's XP, I strongly
expect that you'll find the answer in my last two suggestions above).

For starters, impress upon your friend the absolute need for her to note
_exactly_ the full text of any warnings she gets from AVG. There are
several nasties out there that spread via the DCOM RPC flaw as Blaster
does, but there are some that spread via other means as well. If she has
one of the latter and the DCOM RPC hole is plugged on her machine, we need
to know what it is to know where to look for the next security disaster on
the machine that needs to be fixed (that said, a quick check for open file
shares, that she has a decently long admin password with a good mixture of
alpha, numeric and punctuation characters, etc can't hurt; also, if it's
XP, enable the Internet Connection Firewall if she doesn't have a third-
party SFW and if she does, fix its obviously incorrect settings).
Due the chronic unreliability of the patch installer, this is a distinct
possibility also.
Due the chronic unreliability of the patch installer, this is a distinctly
good idea also, but it would be better to do the installed file version
checks mentioned in the KB article as then you will know for sure whether
the patch has stuck. Once you know for sure the patch has stuck
Disable that stupid feature.

Have you any idea how stupid you will look should one of the dozens of
ways a new, unknown virus (and even in some circumstances, currently know
viruses) could add itself to such a "certified virus free" message? If
you "recommend" AVG to friends, multiply that feeling of stupidity several
times over. I know AVG like you to advertise for them, but this is just
silly and anyone who knows what they're doing disables this egregious and
very misleading advertisement.


--
Nick FitzGerald