Our company was infected by W32.XPAJ.B a couple of weeks ago. At first, SAV quarantined the files the virus was infecting. A couple of days later it started to clean the files. After scanning all machines the virus no longer appears to be infecting our files. However, SAV will now periodically catch files in the C:\Windows\Temp directory that it says are infected. These files are not the type of files the virus is known to infect. The files usually have an extension of ".qsp" and sometimes ".qef". I will also sometimes see files named "00000000.zip". I observed the directory yesterday after login and noticed that the activity seemed to coincide with SAV's startup scan procedure as the files starting popping up after log on. The files would then be deleted moments later. After SAV's startup scan completed the activity stopped.
So, my question is, are these files possibly related to SAV's normal operation or is the virus still trying to activate itself at log on? I have run other scans using Sophos, ad-aware, NOD32, combofix, etc. in safe mode with command prompt and they aren't finding anything I could see that would be related to this virus. Any help would be appreciated.
TIA