I have resolved this problem on my own machine and wanted to share my experience. Ad-aware was the only scanning program that reported a problem. It looked like a false positive until I found the hidden executable that did not show up in any of the anti-virus scans I ran.
Here is a brief history of events:
Symantec reported that it removed Backdoor.HackDefender from my system.
Subsequently I had intermittent reports of this (or similar) software being detected and deleted, but for the most part the scans ran clean. In the meantime, Ad-Aware consistently reported:
WIN32.TROJAN.DOWNLOADER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : clsid\{7b87a1e1-481a-47a5-b58f-bb1430dcc930}
I deleted this key numerous times, but after a brief wait it reappeared again.
Over time I discovered that this key was being created by (what appeared to be) LSASS.EXE. Further I saw that binary data was stored in the default value of the key and that LSASS queried the key every 15 minutes or so.
Eventually I found (and removed):
Two files: LSASS.EXE and SVCHOST.EXE, each with a trailing blank. The files had extension ".exe " instead of ".exe". To distinguish them from the real files (with actual .exe extensions), I will refer to them henceforth as bad-lsass and bad-svchost.
The files were both started via registry keys that looked totally innocuous, since a quick glance would show references to lsass.exe and svchost.exe (with the trailing blank invisible).
bad-svchost seemed to have the job of protecting bad-lsass. Whenever I shut down bad-lsass, bad-svchost restarted it immediately. The only way around this I found (prior to the clean up) was to use process explorer (from sysinternals) to suspend (but not kill) bad-lsass.
It turns out that it was bad-lsass that recreated the key removed by ad-aware and bad-lsass which polled it every 15 minutes.
Eventually I ran an evaluation copy of TrojanHunter, which reported that ports 20000 and 20001 were open on my machine (and that these ports are associated with at least one trojan horse). I confirmed that
bad-lsass was listening on ports 20000 and 200001 (and several others as well, although I was not taking careful notes at this point).
At one point symantec did detect the bad svchost file (or seemed to) but the malware seemed to continue operating until I finally deleted bad-lsass (in safe mode).
I ran scans on bad-lsass with Symantec and several spyware and trojan detection programs and none of them recognized it. I uploaded the file to the prevx site, but, last I checked, no other reports were made and they also did not recognize it.
To sum up:
Ad-aware's report turned out to signal a real problem with my system.
Symptoms:
1. Ad-aware reports WIN32.TROJAN.DOWNLOADER registry key which returns shortly after being deleted.
2. ProcessExplorer (and I assume taskmanager) reports two running processes named lsass.exe (one has a trailing blank).
3. Windows\System32 directory contains "lsass.exe " and "svchost.exe " (trailing blanks).
4. TrojanHunter reports open ports at 20000 and 20001.
Clean up I Used (Caveat: reconstructed after the fact and probably incomplete and not fully proofed.):
1. Rebooted in safe mode. (Not sure if system restore needs to be turned off, but probably doesn't hurt.)
2. Deleted the two bad ".exe " files.
3. Deleted the bad key reported by Ad-Aware.
4. Ran autoruns.exe (from sysinternals) which gave me a complete list of images executed at system load. Now that the bad files were deleted I found several keys which appeared to point to lsass.exe and svchost.exe but which reported "file not found." These keys were actually referencing the bad versions (with the trailing blanks) and, proceeding with great caution, I deleted them.
5. Rebooted.
6. Now running additional scanning tools including TrojanGuard.
Hope this is useful to someone. Still not sure why the bad ".exe " files did not get flagged by any scanners and wondering if this is a known exploit. (Hard to believe its a one time occurence!)