I am with everyone here. smells of ROOTKIT.
First before anything if the customer paid for the software, then get the tech support onto it whilst you are onsite. Make them work for what customer paid for, sometimes (very occasionally they can offer insight, but don't hold your breath, the only AV company who I have given credit is MCAFEE, they didn't fix issue but the offered more than just reboot-uninstall re-install advice)
Like in "Freddy got fingered" when he gets inside of the roadkill, you have to get inside the mind of the person who created the attack. When hardware of software corrupts it usually stays in one area.
When some malicious is at play there are always multiple signs they usually block multiple things.
An example of this is, you have same problems in normal windows as in safe boot mode, straight away I would bump ROOTKIT or BOOT loader virus up my check list.
ROOTKIT - detectors are different to AV detection. With rootkits scanner like GMER you need to google every result and then make a educated judgement (which can be very hard) whether to kill or let live.
End of the day - sad as it will be customer (should be) paying you by the hour. If the AV company can't work it out and there are no tell tail signs of virus, demand refund and switch AV companies. Sometimes it just is, and if the customer goes onto a successful 3 years with new AV product then job done. You did your initial checks to make sure now widespread virus the troubled product's support team looked into it and couldn't resolve. Move on.
