Well, for one example, here’s what Windows Defender Offline (http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline) found from a scan of an infected machine. Fortunately the user powered down the computer immediately after realizing he had been had.
Rogue:Win32/Winwebsec
Trojan
file:D:\ProgramData\hDa3n3aV\serv.bat
file:d:\users\–username-removed–\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro\Antivirus Security Pro support.url
file:d:\users\–username-removed–\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro\Antivirus Security Pro.url
folders:d:\users\–username-removed–\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro\
TrojanDownloader:Win32/Kuluoz.D
containerfile:D:\Users\–username-removed–\Downloads\VoiceMail_Seattle_(206)4581802.zip
file:D:\Users\–username-removed–\AppData\Local\dqegmcmb.exe
file:d:\users\–username-removed–\AppData\Roaming\Microsoft\Windows\Recent\VoiceMail_Seattle_(206)4581802.lnk
file:d:\users\–username-removed–\Downloads\VoiceMail_Seattle_(206)4581802.zip->VoiceMail_Seattle_(206)4581802.exe
regkey:HKCU@S-1-5-21-3504191443-3983057376-3714753911-2621\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ojphvgtg
runkey:HKCU@S-1-5-21-3504191443-3983057376-3714753911-2621\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\ojphvgtg
A tip for you. After running the cleanup removal in Windows Defender Offline, reboot the machine with network disconnected to a Microsoft ERD Commander disc and use the registry editor and Windows Explorer to check the work of the cleanup tool and ensure everything is out of there. Then reboot and run Norton Power Eraser (https://security.symantec.com/nbrt/npe.aspx) for a final cleanup (has to be online for the Norton tool to work).