I am running vista ultimate and have re-installed twice and these two keep appearing:

1. C:\Windows\System32\drivers\sbmount.sys: Trojan.Rootkit-637 FOUND

2. C:\Program Files\Mozilla Firefox\uninstall\helper.exe: Trojan.LdPinch-2493 FOUND

After each install, i have re-scanned after driver install, after every 10 apps installed, i have scanned everything independamtly, before it has been installed, scanned all data before it has been copied over etc... (in short tried to be as thourough as possible). I even browse the net and check emails on a linux virtual machine.

I also have another PC running Vista business and this one appears on it also:

C:\Program Files\Mozilla Firefox\uninstall\helper.exe: Trojan.LdPinch-2493 FOUND

I have a laptop and an exchange server running on the network and both scan clean.

I am running NOD32 and it picks up nothing, i have tried online virus scanners, from F-secure, trend, mcafee, panda, kaspersky, sophos and have even installed and run symantec end point and run full system scans they all pick up a few tracking cookies but nothing further.

Could this possibly be a false positive? Or is this rootkit a real nasty?

You've scanned with several good AVs without finding anything. Some of them claim to be able to spot a rootkit "on the fly," so it's probably a false positive. I would give it one more scan with F-Secure's free Blacklight antirootkit. If it finds nothing, send a copy of the file(s) to Clam at https://cgi.clamav.net/sendvirus.cgi on the Web and tell them it is a false positive.

The way Blacklight works is you download it to your desktop (or somewhere). You don't have to install it--just run it. Blacklight inserts a log file wherever you put it every time it is run. If it finds something, it will request permission to rename the file. You investigate the file first and make sure it's not a false positive on a file you need. If it is "bad," then give Blacklight permission to rename it. Blacklight will rename it and keep it in the same directory where it was found. You can then go to that directory and manually delete the file, but see if ClamWin spots it first. If it does't, upload a copy of the file to Clam AV before deleting.

Regards,

yes, I have it too, two times. just about after I surfed to some blogs from google.
my computer installed vista ultimate. the problems begin in my computer, often hang, slow performance, and too many advertise like "lucky banner" or "you win bla..bla.." or "you are the 1.000.000 visitor bla...bla..bla.." at every site I visited.
I'm using "spyware terminator" and integrated with Clamwin anti virus. when I scan using Clamwin alone, it does not read the trojan. but when I scan with spyware terminator which integrated with clamwin, it was readable and successfully removes the trojan (LdPinch 2493). "Spyboot search and Destroy" was not able to do this.

the directory is not likely always at the same place, it can move to other places.
it is dangerous, and it is actually making pain in the ass, really

Are you getting these banners in IE or mozilla?? Performance is not an issue on this machine and i havent noticed any banners (above and beyond the usual). Though i primarily use mozilla.

As i said before i have also moved to checking email and browsing the net in a linux virtual machine (with clam av and nod32 running also) as i am not entirely certain what either trojan is doing. I have an excellent firewall in place and have not noticed any anomolous traffic, which i have with trojans before on the same firewall, which is what is making me question a) my sanity and b) clamwins

I will have a look into spyware terminator, perhaps ask there suppport team a few questions and see if i can make heads or tails of this.

yes, certainly!, I'm getting these banner just after my system infected by LdPinch2493. and just now, after I remove the "helper.exe" the banners are gone.
when the "/uninstall/helper.exe" still running in my pc, my anti spyware notice and show block confirmation. and everytime I open firefox, I must wait for about 3 minute, and if I'm lucky, my pc wouldn't hang.. hehe.. I'm pretty sure now. I don't know how trojan works, but I think you won't see it's traffic at your firewall, no matter how good your firewall is.
2 times I notice the directory of this trojan, no, 3 times, first at firefox directory, second at notepad directory, and third, back to Firefox directory again.
I'm guessing that in my pc, it uses port 80 or http to get connected, because everytime I start my browser, I must wait very long.. long enough to make some tea and buying some cigarette
the bad thing is, it's invite other malware to pc's. so using anti spyware might be a good idea because it blocks lot of malware contents from sites.

Go to the ClamWin Antimalware links. Under the downloadable malware removal tools, find Dr. Web's Cureit and/or Norman's Malware Cleaner. Curieit is fairly small in size, but Norman is failrly large. Norman should be used in Safe Mode.

Regards,

Ok i have run the spyware terminator application which uses clamav as the virus scanner and have removed the following:

Remove Rootkit-637
Deleted File: C:\Windows\system32\drivers\sbmount.sys
Deleted Registry : HKLM\SYSTEM\CurrentControlSet\Services\sbmount
Deleted File: c:\$Recycle.Bin\S-1-5-21-1136728116-906691692-847340059-1000\$R1CWOX7.sys

It did not detect the trojan.ldpinch, in the helper.exe file. I am scanning again to verify its removal after several reboots.