MalwareBytes Missing a virus/malware signature

[medman]

Hi There:

I have the majority of my servers (3) in my domain infected with some type of malware (or more than one) I have scanned with malwarebytes, Search and Destroy (S&D) and AVG to no avail. First, I have done the following:

1. Rebuilt my domain twice with different domain name, applying W2003 SP2, and loading in Malwarebytes before hooking up to the LAN until I needed to download windows updates, downloaded AVG and S&D and ran them all/

Each time I got reinfected.

2. All of the infected servers have the malware trying to get out to 188.72.250.42, 217.20.115.1, 218.8.245.123 among others and they are caught by Malwarebytes monitor.

3. All of the servers have multiple DNS.exe and lsass.exe instances spawned.

4. The same or different malware took over my domain admin and locked me out EVEN AFTER I REINSTALLED THE DOMAIN WITH A DIFFERENT NAME!

I have run sysinternals RootkitRevealer and nothing showed up except for incorrect truncation in the HKLM\software\classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\inprocserver32\ThreadingModel. According to the sysinternals forums, Microsoft truncated the entry "Both" to "Bo". the forum is here:

http://social.technet.microsoft.com/forums...e-31958e06729d/

I'm at the end of my rope!

Help would be appreciated.

[Jacktivity]

Hi medman,

Please send an email to corporate-support@malwarebytes.org

We'll be glad to try to help you. We don't officially support Server installations but we realize that some of our customers do install and run successfully on them.

Note that all corporate support inquiries require an order number for assistance.

[medman]

Thanks Jacktivity:

Two of the servers are domain controllers. the third is my exchange server.

Because malware has taken over the admin account (I can still use it but I can't change anything), I can't add my name (admin) or anyone else in the organization to the newly built domain.

So email is out.

When I promoted the first server to a DC on the new domain, I was able to create an alternate admin account, but whatever malware it is, has changed my password.

S-i-i-i-gh.

P.S. I just purchased 3 licenses, but no email so no order number. The account is Phil Wyatt, Medical Central Online.

Thanks

[noknojon]

IP Address: 218.8.245.123

Hostname: Unable to detect

Domain: Unable to detect

Organization: China Unicom Heilongjiang province network

[AdvancedSetup]

User is being helped by Corporate Support at this time so I will close this topic.