Yes, Imperfect1 holds a good point: first of all, if you don't need to do backups, you may want to think about what you had on the HD that was sensitive and then give a call to the bank/credit card issuer/ISP to have your accounts checked.
Then, wipe your HD. I don't know if you have the time (and maybe it's also an overkill) but in case of malware attacks I always performed a "one-pass zeros" wiping before reinstalling (I worked as a PC techie for a small company so I had the chance to let it run overnight, because it may take also 3 or 4 hours for a 1TB drive).
Then I'd suggest you to re-install Windows creating two different profiles. An administrative one that you'll use yourself and a standard one, subjected to UAC, to let your son use the PC reducing the risk of being hit again.
I use a limited user account myself even if I also am the owner of the administrative one, so you may want to create also a standard account for yourself.
Then, change all of your passwords (no matter what they are for) as you'd be better safe than sorry.