The kid’s computer caught a virus through Windows Live Messenger (aka MSN Messenger). At the other end of a conversation was an infected computer which offered up a message to the kid, inviting a click on a website (I think it was “cutebitch.com” or similar). That was clever because it looks as though your best mate has recommended it. Needless to say, this quickly downloaded some nastiness, causing crashing and a few hours of the usual headaches.
The checker, AVG from GriSoft, only detected some of the files: various names of DLL in C:\Windows\System32 and also in a few personal folders. It didn’t detect OSA.EXE, which is part of MS-Office, but which I think is also part of the virus. Don’t quote me on that.
Anyway, here’s the useful bit: the most stubborn element was nnnoonm.dll in C:\Windows\System32. I had been warned about this file by the fellow-sufferer at the other end of the offending conversation: in addition, it’s date and time was the time of attack. When I tried to delete it, I got the usual message about “being used by another process” (Why can’t Windows tell you what process is using it?). I couldn’t find any mention of this on the internet.
So I hunted down "Unlocker" (no longer available, but other similar apps are available). This let me see that the process winlogon.exe had two connections to nnnoonm.dll. As far as I could see, this was the legitimate winlogon.exe and not a fraud. Unlocker let me rename the dll to nnjunk.dll, although the computer instantly rebooted as my punishment. Happily, once the computer came alive again, I could see that the rename had worked, and this had cleared the lock. I immediately deleted the file and breathed more easily.