OK, so after going through msconfig and setting it to boot normally it... booted normally. I'm guessing dickwad mcfuckface on the phone had set for safe mode and then wanted a hundred bucks to unset it.

I also disabled remote desktop connection in msconfig.

Fuck you, mcfuckface.

I may test out the softlay offering in a virtual machine at work next week. Glad I didn't have to use it.

A fresh softlay-sourced Windows 7 install in virtualbox passed a MS Malicious Software Removal Tool scan, so I installed Firefox (which Mrs.D uses) and opened the site she said was the last one she browsed before the attack: http://arizonamountaineeringclub.org.

Nothing happened. I suppose it's possible another malware-infected web site she had browsed earlier was the culprit.

I also opened the actual web page the attack apparently came from, based on her ff history:
http://187679863776586953687908945.win/?a=10012294&offer_key=d26a2baaa128ee148b74161dcfb52443&nrid=3

which (unsurprisingly) returned a 404 not found

Another scan with the Microsoft tool after browsing these sites also turned up nothing.

Conclusion: attack vector unknown.