Hi There: I have the majority of my servers (3) in my domain infected with some type of malware (or more than one) I have scanned with malwarebytes, Search and Destroy (S&D) and AVG to no avail. First, I have done the following: 1. Rebuilt my domain twice with different domain name, applying W2003 SP2, and loading in Malwarebytes before hooking up to the LAN until I needed to download windows updates, downloaded AVG and S&D and ran them all/ Each time I got reinfected. 2. All of the infected servers have the malware trying to get out to 188.72.250.42, 217.20.115.1, 218.8.245.123 among others and they are caught by Malwarebytes monitor. 3. All of the servers have multiple DNS.exe and lsass.exe instances spawned. 4. The same or different malware took over my domain admin and locked me out EVEN AFTER I REINSTALLED THE DOMAIN WITH A DIFFERENT NAME! I have run sysinternals RootkitRevealer and nothing showed up except for incorrect truncation in the HKLM\software\classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\inprocserver32\ThreadingModel. According to the sysinternals forums, Microsoft truncated the entry "Both" to "Bo". the forum is here: http://social.technet.microsoft.com/forums...e-31958e06729d/ I'm at the end of my rope! Help would be appreciated.