Rather than attacking the problem by trying to pick specific tools, you need to get into her threats more deeply. Fundamentally, there are three sorts of keyloggers: hardware dongles, rootkit-ish things, and regular software-ish things. Obviously, no software will detect a hardware dongle. Rootkit-ish things, which may include virtualization to get below the operating system, are again not something you're going to pick up with a scanner.

The trick is that hardware dongles require physical access, and many rootkit-ish things are relatively hard to install without either physical access or a machine that's way, way out of date on its security patches. So you have to ask what level of protection you're going after here. If the attacker is physically remote and the machine is running properly patched software and suitably configured without lots of unnecessary services, there's relatively little to actually worry about. On the other hand, if you're worried about a physically present attacker, the whole game changes and you should be looking at radically different approaches (e.g., a used government-spec security container).