It seems it was infected. Or it is now.
His browser flashed up a (fake) warning message, saying call this 0845 number now, your machine is compromised. Which he did, and was, sadly easily, talked in to installing some remote control software. I'd say he had some malware onboard to allow the warning message to come up, unless he was browsing some flaky site or other. Anyway, dusting off and nuking is going to happen. I've recovered his data*, by using a Ubuntu live DVD and an external HDD. Poking around I found a whole new user profile had been set up by the scammers. There's also a log file for the remote control software, but it doesn't give useful info like "Scammmer at 27 Scammer Ave, Scumbag" logged on at 1537, merely a user number. Could be useful to the rozzers I suppose, so I'll copy that file for them.
* Stuff me, Windows Photo Gallery tucks the images well away under the bonnet, doesn't it.