How Do I Find/Remove a DNS Hijack

I have a friends windows 7 (64bit) computer that has a DNS hijack in it.

Steps I have done currently to remove the DNS and viruses:

1. disconnected internet
2. Ran: AdwCleaner, JRT, Emsisoft, Kaspersky, ReasonCore, Zemana, and lastly RogueKiller to remove the current DNS changes.
3. Reset DNS and ran TweakingRepair to do a full fix
4. Reset internet options in control panel (removing cookies)
5. Removed all unknown services and startup items.
6. Used autoruns to remove any unknown or malicious startup as well.

While disconnected from any network and internet, it will keep the dns malware removed whenever I run roguekiller. However as soon as I reconnect it to network it instantly gets the malware DNS changes again.

I am wondering what else can I run to possibly remove a DNS hijack? Because I am thinking there must be some exploit or hidden script running that recreates the DNS changes every time it connects to network.

The short story of this is, she got called from someone claiming to be from Rwglobal Tech Repair. SCAM website: http://www.rwglobal.us/

Anyone know about what they do in particular?

Thanks