Endpoint Protection

 Our company was infected by W32.XPAJ.B a couple of weeks ago.  At first, SAV quarantined the files the virus was infecting.  A couple of days later it started to clean the files.  After scanning all machines the virus no longer appears to be infecting our files.  However, SAV will now periodically catch files in the C:\Windows\Temp directory that it says are infected.  These files are not the type of files the virus is known to infect.  The files usually have an extension of ".qsp" and sometimes ".qef".  I will also sometimes see files named "00000000.zip".  I observed the directory yesterday after login and noticed that the activity seemed to coincide with SAV's startup scan procedure as the files starting popping up after log on.  The files would then be deleted moments later.  After SAV's startup scan completed the activity stopped. 

So, my question is, are these files possibly related to SAV's normal operation or is the virus still trying to activate itself at log on?  I have run other scans using Sophos, ad-aware, NOD32, combofix, etc. in safe mode with command prompt and they aren't finding anything I could see that would be related to this virus.  Any help would be appreciated.

TIA

Most of the times this is when the required patch is missing. Check for KB958644, if it's installed.

 Thanks, but that patch was applied.  So, you think it's still malicious activity and not Symantec related?

...Don't go by the extensions. Like a jpg is also exectable for the cmd. Rename an exe to jpg and drop it on cmd...It executes the same way. It's been observed that repeated detections(and deletions) for the files are more when the machine is not patched up. You might like to run MBSA, doesn't sound like a product failure to me.