Someone tried to do a $3000 purchase with my paypal account. I had an ultra strong password so am sure I got nailed by a keylogger.

Bummer too, I was just now logged into my hosting account for a website and saw that one of my email addresses had been changed to something else!

I use AVG Free at home and at work and I get nothing found with the scan. I use ZoneAlarm free for firewall and never got any intrusion messages.

... so I wonder if AVG Free is just not an adequate anti virus program?

At home I use a laptop connected to the net via an unsecured wireless network. Does using an unsecured wireless network allow a keylogger to bypass a good antivirus and firewall program?

... so I'm changing passwords for logins that are to sensitive info, but am mostly now concerned about finding the problem and solving it.

Any suggestions? Do you think it's a keylogger that just somehow got past my AVG?

Quite possible.
You mention Anti virus and firewall, but NO anti spyware at all.
Time to get Adaware and/or spybot.
Give me a shout and I'll see what can be done ;)

Also you MUST secure your WiFi connection.
Even basic WEP encryption will deter a script kiddie and keep you safer.

I did run spybot and got a clean report but I'm now reading that keyloggers are "non-signature malware" which I read that typical anti ad-ware and anti spy-ware programs do not find so well.

I'm trying out this one now - to see if it finds something that spybot did not find.

This is just NOT my week :(

Also give Trend Housecall a go.
Trend Micro HouseCall - Start

Also Spybot has a great resident function called teatimer, which monitors your registry for changes.