It might be easiest to simply wipe the drive and start over if she still has her OS disk. But if she has a lot of custom settings and wants to keep her current config, I would do the following:
In safe mode run these: TDSS Killer, MBAM full scan, Dr. Web Cureit full scan, RKill (from bleepingcomputer.com), and Combofix.
Then run the latest version of HitMan Pro in safe mode with networking. I would also make a bootable Kaspersky rescue disk and set it to scan everthing except the C drive.
Figure how to turn off the "remote access" permission on her PC. Google it. After that I would disable her AV AND firewall and install Threatfire AV and set it to LEVEL 5 and it will definitely let you know everything that is going on in the background. Keep Threatfire installed, and at Level 5 for at least a month of day to day usage to make sure your scans crippled all malware that may, and probably does, exist. I would also install Process Hacker II and look for any suspicious svc.host cpu usage (only Windows Update should spike these).
I don't know how to get it anymore, but you can also use XueTr to check for suspicious inline Kernel hooks. It will let you view all Ring 3 and Ring 0 activity, and other things.
Even if there is a keylogger on there, Sandboxie might cloak her keystrokes, or at least prevent them from being recovered for the time being. Just surf while sandboxed if you must. Set it up to "drop rights" and "delete contents after closing sandbox".