So are the 4 items removed by Malwarebytes the 'payload', or are they the same four items SEP quarantined? The sequence of events you describe are not clear, as the payload usually means something a trojan drops onto a machine. If SEP was stopping the attack, it shouldn't have a chance to drop its payload.
If there is something malicious that we're not detecting, by all means submit it. I would also use the Load Point Analysis portion of the Support Tool to see if there are suspcious items in the system's load points.
"How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files"
http://www.symantec.com/docs/TECH141402
If the same machines keep getting infected over and over again, I would examine them with the Microsoft Baseline Security Analyzer to determine if any critical updates are missing, and also ensure third party programs (like Java and Adobe Reader / Flash) are fully updated.
If you are not using NTP for IPS protection, I would advise enabling that ASAP.
"Best practices regarding Intrusion Prevention System technology"
http://www.symantec.com/docs/TECH95347
sandra