As I mentioned, I never found a way to actually remove the script itself, since I couldn’t find the script. But, I did surgically remove the script from the template, as it were. Pretty basic, actually, once I narrowed things down a bit. I just went into the part of her template setup that was generating the page headers, and found wp_head in that code. Rather than having it print the entire thing, I exploded wp_head, splitting it at the “<div” and “</div>” tags. There’s no legitimate reason any plugin would stick div tags in a header, so it’s unlikely there’d ever be more than that one set in there. Now, the template prints everything before the “<div” and after the “</div>”, but nothing in-between, thus removing that injected code from the front-end display of her site.
I also gave her some advice on how to make her WordPress install a bit secure. Unfortunately, whatever that code is is still in her install somewhere. I’m crossing my fingers that all it’s capable of doing is grabbing spammy links, so hopefully there won’t be any more troubles with her site in the future.