ThaveshinP:
A couple of general bits of advice if I may, based on my own experiences.
First, turn your users to Standard user, not Administrator on their own system. This prevents most of this adware and related stuff from ever getting installed since their account has no rights to install software.
Second, once a system is breached in this way, it might be safer to consider it a standard policy to always wip ethe machine and put in a fresh image (or manually rebuild). Why? Because the old school mentality of the system admin thinking he knows better than the craftiest virus authors doesn't apply. Like you, I have spent many hours of my career manually combating the effects of viruses. However since almost all trojans and viruses these days tend to open a backdoor that then downloads additional malware, the base effect is that your system is completely open to every virus on earth (when you think about it, that really puts things into perspective doesn't it?). So there's no way we can outsmart them.
Much like the concept of "defence in depth" is talked about at times, the less discussed concept of "offense in depth" is not. Think of it this way: a virus writer makes his stuff do two things: one, insetall ab unch of commercial adware and other lame money-making gimicks on your system, make them relatively easy to find, because the vast majority of non-enterprise system admins won't wipe a system, they'll just chase after symptoms and once the system "appears" to be ok, they move on. But second, then embed more deep-level stuff, rootkits and what not, that continue running on that system long after you've moved on.
I've seen it many times, I spend lots of time trying to manually fix up a system, only to find out that more annoying 54645545.tmp files and so on are being flagged.
Best to develop a strattegy to just wipe systems when this stuff occurs, but to greatly prevent it from occuring, set the user as Standard and not admin.
Also I think if you turn off the SEP firewall you also turn off IPS, or maybe just browser-based IPS, I don't know for sure. Consider re-enabling it as SEP relies heavily on cross-component integration for it's success.
One last note: I went about 1.5 yrs fighting that stupid Conduit SearchProtect. FINALLY, Symantec has flagged as it malware or a PUP or whatever, and SEP stops it. Your situation sounds exactly like SearchProtect. So keep at Symantec and they'll make signatures for this too.