Windows 7: Got rid of a virus, but need to undo some damage

I contracted the "system cleaner" ransomware, probably due to having java plugin enabled in firefox. I think i've gotten it off of my system now by hard-deleting the files in safe mode while logged in as administrator.

However, I am unable to login my other user profile that I was logged in with when I contracted the virus. Once it starts logging in instead of going to desktop it immediately shuts the system down (with or without safe-mode). If someone knows and can tell me what registry keys might be suspect then I should be able to fix this...

Run SFC /SCANNOW Run in Command Prompt at Boot if necessary from the DVD or Repair CD.

You may still be infected so need to run a bootable AV scan from Troubleshooting Windows 7 Failure to Start.

Google the exact name of the infection to learn about any specialized removal tools.

Serious infection often requires a Clean Reinstall - Factory OEM Windows 7 (same for retail) after backing up your files to quarantine and then scanning them thoroughly with Malwarebytes, your AV and the removal tools specified for the virus.

Thanks, but I'm satisfied the virus is gone (I'll spare you the details as to why) and i'm willing to run the risk of being wrong.

There is some kind of crude command line script running on that particular user. I say crude because I can manage to login by logging in with administrator first, so that when I come to login the other user it gives me a warning that other users are logged in and do I wish to shut down? I click cancel and then i'm on with no further obstacle. taskmgr doesn't show any suspicious processes (this is in safe mode).

I'm just wondering what would be the likely key in the registry that would cause this. I've checked startup folder in the start menu (looks fine), and HKCU/blah/blah/Windows/CurrentVersion/Run (looks fine). I did a search of the registry on 'shutdown' without luck. In other words, what are all the registry keys that can cause an event where the computer attempts to shut down? Can event logger be used to reveal this info? I don't know how to use it.

I'll ask a Security expert to have a look.

My own specialty is Installation so perhaps biased but if ever I've seen the need for a reinstall it's here.

I'm quite cavalier with my own system I suppose. I've had an infection last year and dealt with it similarly and was fine afterward. I didn't notice the security subforum or I would have posted there first. Thanks for the help.

You may still have 'left over' temp files ... download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Sure, I'll do that and see if it pulls anything out, when I'm done running MSE (already done symantec online scan and avg 2013 scan so far).

The way I got rid of it by hand was to login to administrator in safe mode and search my harddrive with * wildcard, sort by date, and I was able to pinpoint a collection of files at the time of infection (including the scare html file that took over my display, which I viewed in a text editor). But I wonder if viruses are able to manipulate the system clock so that this is not always reliable?

What has me worried is how a java plugin got turned on again in the first place... I thought I turned it off the last time I got an infection. Don't they ever release a secure version of java browser plugins?

Anyway, assuming I am rid of the infection, is there a way to trace what's causing the shut down when logging in to my normal user account?

I've found the following events but they don't tell me much:

I ran that app for deleting temporary files as you suggested. I still get the attempts to shut down when logging in. I'm not convinced it's a script, just some way the registry has been abused to make it behave in this way.

Is it within anyone's knowledge to tell me what I might need to look for?

Hmm, at the speed this is going maybe I would have saved time just reinstalling... to me though that's like a retailer throwing a fridge in a landfill because it has a scratch on it. It's a huge PITA waiting for windows to reinstall, then you have to reinstall every single app you had before, then you have to import the old settings (where possible), and reinstall all your steam games, which will still happily lose all your save game config unless you take precautions, etc etc. and then still something isn't quite the same as before.

I'll look around the web and see if there is such a thing as an expert on the windows registry... although if someone can help me here in the meantime, all the better.

I don't know if it would be helpful to point out that the shutdown attempt occurs if I login with safemode & networking, but if I login with safemode & command prompt this does not happen, even after launching explorer manually from the shell...