It is not even clear if an on-screen keyboard helps -- that is probably making the same Windows API calls as the keyboard driver to send the actual keystrokes to the operating system internals. In other words, if the logger is low level enough, and it probably is, any such input is traceable. Also, if the browser itself is compromised, it doesn't matter, either.
Two steps that are not perfect but that I think help a lot and are pretty simple:
1) Run your own browser software off your portable USB key for secure sites (see portableapps.com page)
2) Never enter keyboard strokes in order, use your mouse to enter in various sequences. Not just for brokerage accounts but for email accounts, too.
These two together still are not fullproof, but I think help a lot. Nothing is fullproof if you do not control the client completely. Personally, I plan to use my own PDA for this. Also, if you are using wireless, make sure that your account has some kind of customizable visual image, so the sight can't be spoofed (after entering user name, "your" image appears, before you enter password).
Just like SPAM, I expect this problem to get worse and worse. I don't see how you can ignore it, unfortunately.
Kramer