i'll be changing all my passwords on a never-compromised computer tomorrow.
e: make sure you mix numbers and special characters into your new password.
combofix is good(better than sdfix, anyway), but it's, again, automated. you would need an actual person to sort through and make sure it's clean.
and, wow, that's a hell of a thing for yahoo to miss.
those utilities i listed are sysinternals utilities. http://technet.microsoft.com/en-us/sysinternals/default.aspx
when i remove malware i generally start with malwarebytes and super antispyware. one run each in safe mode. then, if it looks like it's necessary, combofix once in safe mode. past that, it becomes a mix of procexp, procmon, autoruns, and tcpview to see what's running/listening/connected and rootkit revealer and gmer to do a rudimentary check for a rootkit. at that point, you're removing malware by hand either in safe mode or through the recovery console. i've been doing a lot of reading on exploits and security lately, and all of the malware cases our(admittedly small) company gets come to me, along with pretty much anything past basic adware from a few of our large clients, and i'm yet to fail in removing something(outside of the occasional bluescreening system after removing a really nasty rootkit) with that method, so it definitely works.
by the way, i don't know if anyone told you about combofix, but if you're going to use it be prepared to recover your system/user profile via the recovery console. if it locates malware and the infection is removable by combofix, it WILL remove the infection regardless of what vital system processes it may break.