Got rid of a virus, but need to undo some damage

I contracted the "system cleaner" ransomware, probably due to having java plugin enabled in firefox. I think i've gotten it off of my system now by hard-deleting the files in safe mode while logged in as administrator.

However, I am unable to login my other user profile that I was logged in with when I contracted the virus. Once it starts logging in instead of going to desktop it immediately shuts the system down (with or without safe-mode). If someone knows and can tell me what registry keys might be suspect then I should be able to fix this...

Run SFC /SCANNOW Run in Command Prompt at Boot if necessary from the DVD or Repair CD.

You may still be infected so need to run a bootable AV scan from Troubleshooting Windows 7 Failure to Start.

Google the exact name of the infection to learn about any specialized removal tools.

Serious infection often requires a Clean Reinstall - Factory OEM Windows 7 (same for retail) after backing up your files to quarantine and then scanning them thoroughly with Malwarebytes, your AV and the removal tools specified for the virus.

Thanks, but I'm satisfied the virus is gone (I'll spare you the details as to why) and i'm willing to run the risk of being wrong.

There is some kind of crude command line script running on that particular user. I say crude because I can manage to login by logging in with administrator first, so that when I come to login the other user it gives me a warning that other users are logged in and do I wish to shut down? I click cancel and then i'm on with no further obstacle. taskmgr doesn't show any suspicious processes (this is in safe mode).

I'm just wondering what would be the likely key in the registry that would cause this. I've checked startup folder in the start menu (looks fine), and HKCU/blah/blah/Windows/CurrentVersion/Run (looks fine). I did a search of the registry on 'shutdown' without luck. In other words, what are all the registry keys that can cause an event where the computer attempts to shut down? Can event logger be used to reveal this info? I don't know how to use it.

I'm quite cavalier with my own system I suppose. I've had an infection last year and dealt with it similarly and was fine afterward. I didn't notice the security subforum or I would have posted there first. Thanks for the help.

Sure, I'll do that and see if it pulls anything out, when I'm done running MSE (already done symantec online scan and avg 2013 scan so far).

The way I got rid of it by hand was to login to administrator in safe mode and search my harddrive with * wildcard, sort by date, and I was able to pinpoint a collection of files at the time of infection (including the scare html file that took over my display, which I viewed in a text editor). But I wonder if viruses are able to manipulate the system clock so that this is not always reliable?

What has me worried is how a java plugin got turned on again in the first place... I thought I turned it off the last time I got an infection. Don't they ever release a secure version of java browser plugins?

Anyway, assuming I am rid of the infection, is there a way to trace what's causing the shut down when logging in to my normal user account?

I've found the following events but they don't tell me much:

- System

- Provider


[ Name] Microsoft-Windows-Winlogon


[ Guid] {DBE9B383-7CF3-4331-91CC-A3CB16A3B538}



EventID 7001


Version 0


Level 4


Task 1101


Opcode 0


Keywords 0x2000000000000000

- TimeCreated


[ SystemTime] 2012-12-03T22:20:20.302069100Z



EventRecordID 274529


Correlation

- Execution


[ ProcessID] 2380


[ ThreadID] 2096



Channel System


Computer Contuter

- Security


[ UserID] S-1-5-18

- EventData

TSId 2

UserSid S-1-5-21-3021841014-1162341245-2895752552-1000

- System

- Provider


[ Name] Application Popup


- EventID 26


[ Qualifiers] 16384



Level 4


Task 0


Keywords 0x80000000000000

- TimeCreated


[ SystemTime] 2012-12-03T22:20:21.000000000Z



EventRecordID 274530


Channel System


Computer Contuter


Security
- EventData


Windows


Other people are logged on to this computer. Restarting Windows might cause them to lose data. Do you want to continue restarting?

I ran that app for deleting temporary files as you suggested. I still get the attempts to shut down when logging in. I'm not convinced it's a script, just some way the registry has been abused to make it behave in this way.

Is it within anyone's knowledge to tell me what I might need to look for?

Hmm, at the speed this is going maybe I would have saved time just reinstalling... to me though that's like a retailer throwing a fridge in a landfill because it has a scratch on it. It's a huge PITA waiting for windows to reinstall, then you have to reinstall every single app you had before, then you have to import the old settings (where possible), and reinstall all your steam games, which will still happily lose all your save game config unless you take precautions, etc etc. and then still something isn't quite the same as before.

I'll look around the web and see if there is such a thing as an expert on the windows registry... although if someone can help me here in the meantime, all the better. :)

I don't know if it would be helpful to point out that the shutdown attempt occurs if I login with safemode & networking, but if I login with safemode & command prompt this does not happen, even after launching explorer manually from the shell...