We must disable the Real-Time Protection feature of Windows Defender for it may interfere with the changes we need to make.
To disable Real-Time Protection:
- Go to "Tools" | "General Settings"
- Scroll down to "Real-time protection options"
- Uncheck "Turn on real-time protection (recommended)"
- Remember to reactivate this feature when we have finished all our work.
Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
- Go to the Options>Program Options
- Uncheck Load at Windows Startup
- Click Shields & uncheck all items there
- Uncheck Home page shield.
HijackThis!
Open Hijack This and click on Scan. Check the following entries
(make sure you do not miss any)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [{1F-F4-4A-A0-ZN}] c:\windows\system32\dwdsregt.exe GID003
Please remember to close all other windows, including browsers then click Fix checked.
Reboot and see if they come back.