Tech: Getting rid of pesky Mal/Bad Src-C Malware showing up in OSX Spotlight Cache...

For months, I ignored the Sophos warnings in the Quarantine Manager warning me about Mal/Bad Src-C showing up in the OSX Spotlight cache.  I was unsuccessful in ever finding the source for the index on my local disk, and then I happened across this Sophos community article.  Agile 's comment was particularly relevant to the behavior I was seeing:

    "SAV is detecting cached files which no longer exist on your computer, and therefore no longer exist in the Quarantine Manager"

So, the logical thing to do is drop the cache.  Since this was on my work machine, I first had to grant myself root access.  This is also useful if you actually want to look at the contents of the Spotlight cache.  There is a nice Apple KB article published about how to do just that if you already have admin privs. If you have an older version of OSX be sure to reference the article.  For Lion, the latest version referenced as of this writing, I've included the steps below for ease of use:

OS X Lion

1. From the Apple menu choose System Preferences....
2. From the View menu choose Users & Groups.
3. Click the lock and authenticate as an administrator account.
4. Click Login Options....
5. Click the "Edit..." or "Join..." button at the bottom right.
6. Click the "Open Directory Utility..." button.
7. Click the lock in the Directory Utility window.
8. Enter an administrator account name and password, then click OK.
9. Choose Enable Root User from the Edit menu.
10. Enter the root password you wish to use in both the Password and Verify fields, then click OK.

OK, now all we have to do is stop the Spotlight indexing as root

$ su -
Password:
~ root# mdutil -i off /
/:
Indexing disabled.

With the indexing turned off it's time to drop the cache

# mdutil -E /
/:
Indexing disabled.

Now turn indexing back on

# mdutil -i on /
/:
Indexing enabled. 

Depending on the size of the local disk(s) and categories selected to index, the rebuild could take a while.  Select the magnifying glass in the upper right corner of the screen, and you should be able to see a status bar for the estimated indexing time.

Once the indexing is complete, re-run Sophos local disk scan and make sure the spotlight files are gone for good.  If they come back then you are not running in to the stale cache issue that I was.  With any luck the Quarantine Manager will have two entries, one for the source file and one for the Spotlight index.  If not, try turning off Messages and Chats categories in the Spotlight preferences and run through the above procedure again.  If that does the trick, then its likely that you have an email containing the malware as an attachment so be careful what you click.