Need help with constant popups

[REDACTED]

On one of our business computers we have been having Avast for a couple of years now.  Well somehow some Malware or a virus got past Avast.  I have no idea how it happened, but we are always getting popups for objects such as tpsearch.me, search-world.biz, nemo-finder.me...  Lately we have been having a lot of issues with this machine and now it barely works and we can't even use our POS system.  What should I do to fix this?

[Pondus]

follow instructions here  https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs ... 3 logs total

see below the box you write in ... Attachments and other options

[REDACTED]

Here we go---ADMIN. ACCOUNT

[essexboy]

Not a great deal showing there

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
2015-09-01 18:59 - 2015-04-14 13:56 - 00000000 __SHD C:\Users\Administrator\AppData\Local\EmieUserList
2015-09-01 18:59 - 2015-04-14 13:56 - 00000000 __SHD C:\Users\Administrator\AppData\Local\EmieSiteList
2015-09-01 18:59 - 2015-04-14 13:56 - 00000000 __SHD C:\Users\Administrator\AppData\Local\EmieBrowserModeList
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[REDACTED]

fixlog---ADMIN.

[REDACTED]

adw---ADMIN.

[essexboy]

How is the computer behaving now ?

[REDACTED]

Works fine under admin., but if we log in to this branch's profile then the Avast warning popups start popping up constantly.  Everything seems to be tied to this profile.  Still Finding Nemo or whatever, a couple other ones I was able to write down real quick are:

Object:  http://fff5ee.com/q
Infection:  MAL
Process:  c:\windows\syswow64\dllhost.exe

Object:  the-search-panet.info/search.php?query=anti+aging+products
Infection:  MAL
Process:  c:\programfiles\internetexplorer\iexplore.exe

[essexboy]

Could you run a scan under that profile please

[REDACTED]

Sorry, I forgot that the profiles act almost like different machines and are mostly independent of one another.
---HOUMA STORE

[essexboy]

This will cure it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-2768183970-1955982448-509404506-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
CustomCLSID: HKU\S-1-5-21-2768183970-1955982448-509404506-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Now it's happening to the admin. account.

[essexboy]

How many separate accounts are there ?

Could you run FRST on each and name them so that you know which is which

[REDACTED]

There are only 2 accounts on this system.  Why it was done this way, I wish I could tell you.  Originally it was the HOUMA STORE account that was messing up.  Admin was fine.  I ran everything here under both accounts that we did them for.  So far so good (knock on wood).  Here are the final logs from the Houma store account.

---HOUMA STORE

[essexboy]

Did you run the fixlist on the HOUMA account as the log you have just posted appears to  be the original rather than the log generated after the fix