Several months ago one of our PC's detected a trojan in Java called vmain.class whilst scanning with NIS 2010. Now today that same trojan has been detected again.

Further there are multiple 'Unauthorised Access Blocked' (including about 15+ for this week alone) entries on Norton for that PC, including one today, as well as 'Intrusion attempt by an ip address' was blocked. These entries all target Norton, specifically cltlmh.exe and ccsvchst.exe, with the actors being system32/conhost.exe (access process data) or system32/services.exe (access thread data).

Further, another PC, although not detecting that trojan, has multiple entries saying it has blocked port access attempts/unused port blocking. These start on the 6th of November, although there are 4 entries (one for each month) going back from october saying errors were reported to symantec. It also has a Bloodhound.Exploit.281 with the origin as recoverystore.{long string of numbers}.dat from the 4th of october, which I wouldn ever have known about had I not checked the history as no warning came up about this.

My questions are:

What should I do about all this?

The information for the trojan says the file has been on the pc since 19/06/2010 but it only detected it today. Does this mean that the trojan has been on the PC all this time?

It says unauthorised access blocked/intrusion attempt blocked, but these are all targetting Norton - is it possible one got through and so is not logged?

We are thinking of formatting both PC's as this keeps coming back, does anyone have any tips/suggestions about ensuring any damage/virus/trojans this has embedded on the PC's does not get copied off with any documents we need before we do so?