First off, key loggers do not necessarily cost money. If this user is technically competent, and has the right connections, such things can be obtained for free. So assess the user from a purely technical capability standpoint.
Second, get a program like CCleaner (Crap Cleaner). This will go through and clear out almost all of the temporary files. There are numerous places where temp files are stored, and it knows where most of them are.
If you suspect that the system has been “rooted” (compromised/owned) download the Sysinternals rootkit detector from Microsoft’s TechNet web page, and run it to analyze your system to look for file system discrepancies that indicate the presence of a rootkit.
Assuming that you’re running Win 2K/XP, and have the disk formatted with NTFS, lock down and propagate user access permissions so that no one else – not even the system – has read privileges to anything in your Documents and Settings folder – although you may get some protest from the O/S there, lock down as much as you can.
Turn off all file sharing.
Write back and let us know how it’s going and what luck you’ve had. There are other things you can do, but these give you a good place to start.
I just LOVE problems like this!