My suggestion would be to wipe that system clean and start with a fresh clean rebuild to eliminate it. Then on top of that have them change the security reset info after first changing their passwords for all online sites so that they do not lose access to the accounts. If its a banking account that the access was lost from a call to local bank can place a lock on the account to ban anyone from accessing account. Monitor credit cards for any suspicious charges as well as debt cards etc.
One tech she asked to look at her machine said to delete everything and reinitialize. I'm thinking she should not have to go that far.
This is the best method of removal. Any other method of removal allows for something to be left behind, possibly changes that make the computer a gaping hole for a future attack.
I have yet to see a system that is fixed back to 100% after problems like this. There is always a scar left behind in the OS.
What antivirus is being used? And if this is truely not a system that can be rebuilt clean and must go the route of manual removal and verification that its "assumed to be clean in the end", this topic will likely get moved to the Malware/Virus section where specialists can assist.
Any system that has been infected and not wiped completely clean I would never trust with any online transactions, e-mail, and confidential communications.My experience with keyloggers is that 9 times out of 10 you have a bigger problem in which a Trojan allowed for the Keylogger to get installed, and potentially remote access for an attacker to mess with the system further and place hidden code that reinfects a system that is trying to be cleaned. I would only trust a total clean rebuild if this system is being used for anything important that can ruin the life of the computer owner if identity is stolen and they are drained of money from bank accounts etc.