NB-Store does not change any page or DNN settings on install. So I can't see any reason why it would be NB-Store, there is simply no code in NB-Store to alter DNN pages.
As for the virus, could these have been uploaded by users/mangers of the websites?
If a hacker has got your FTP login then they are being very nice with you!!! So I doubt it is a hacker. I don't activate FTP on our LIVE servers, and when I do activate FTP on any server I usually restrict it to known IP addresses. FTP tends to be an easy target for the casual hacker.
As for the virus, could these have been uploaded by users/mangers of the websites?
If a hacker has got your FTP login then they are being very nice with you!!! So I doubt it is a hacker. I don't activate FTP on our LIVE servers, and when I do activate FTP on any server I usually restrict it to known IP addresses. FTP tends to be an easy target for the casual hacker.