This turned out to be a very strange one. tumri.net is an old piece of crapware, but it appears to have a newer twist.
A client has the latest version of AOL. He has used AOL for the 20 +/- yrs and never had anything bad installed through AOL so he never was interested in using anything else.
Recently though, his bank told him that AOL was not secure enough, and that he should try using Firefox or Google Chrome if he wants to use online banking.
He also last night was looking at emails from folks he gets emails from frequently and ended up getting constant popups from tumri.net plus a ton of local to him places.
I blocked the site within every browser, but had to block it via host file (127.0.0.1 tumri.net) for it to work in AOL.
But that was was only partially successful; prevent the content, but the popups themselves continued every 5 seconds as before in AOL.
It did not do that in any other browsers.
That is the backdrop of today's mess.
I tried various tools: Malwarebytes Antimalware, aswMBR.exe, JRT, the client's ESET NOD32 scanner, Kaspersky's TDSSKiller, Combofix, CCleaner, Oldtimer's OTF for deeper cleaning.
I read all the logs and there was nothing that any of them found that would cause the problem. aswMBR, Malwarebytes, ESET's NOD32, and TDSSKiller found absolutely nothing.
I checked the processes and nothing looked amiss.
What it finally came down to was uninstalling AOL completely and downloading it fresh and reinstalling it. That took care of it. And he was very happy in the end.
Between this problem today, and what his bank said, he is now willing to move to another browser where we could install Adblock Plus with Malware Domains enabled in Adblock Plus, and WOT.
He used web based AOL email before when traveling so it worked out well. He has a lot of work to do to get all his hundreds of Favorites moved over to the other browser but hopefully he will be happy enough with his alternative browser to keep himself safer.
I think it came from an email, possibly from Yahoo. It is also possible that we had it fixed, until he opened the email from yahoo again each time. There's no way to be sure on that. Except to open it again in the newly installed AOL and neither of us are going to try that.
The yahoo email doesn't do anything in the new browser with that domain blocked six ways to Sunday, and he is very happy about that.
I think there is a very good chance that it modified some dll for AOL's network sock because Combofix actually removed it's networking and it had to be re-installed after Combofix reboot but apparently either it re-installed after the email was reopened or it really needed a full uninstall and re-install of AOL to fix it.