A pc in my network got hacked(no (filtered) idea how they got in), just to be sure i want to check if it got any kindof rootkit on it(Hacker Defender or any other) Its a WindowsXP system, what do you recomend to use?

try Rootkit Detector v0.62

http://3wdesign.es/security/

reboot in safe mode

boot using windows cd adnd u'll see options to see services etc.

k, thnx, damn, alot of work on to do today, have change all the passwords and shit, and update all software, i have no idea how they got in, i have to update everything i guess:p later:)

If you want to know how they get in try to scan your box for vulnerabilities first.
You may try some commercial scanners like Retina Network Security Scanner, GFI LANGuard Network Security Scanner, Shadow Security Scanner or search here and there for free ones.
Understanding the method which was used (and can be used) and then protecting your box is the best way i think.


PEace

Boot in safe mode won't help you, because service of HXdef will start in safe mode too. RKdetector v0.62 will only tell you whether your computer is infected by HXdef, but it won't show you the actual service name and will not remove it. I recommend you "klister v0.4" from rootkit.com . This program will show you all processes in memory, even if they are "hidden". Then you can compare the results with process list in your taskbar, thus you will find hidden rootkit.

Klister doesnt work for XP.

This detector shows hidden services: http://www.security.nnov.ru/soft/ and so does dameware nt utilities...

Search this forum, all this info can be found here.

i have the same problem than the poster
but i ve tried klister and when i run it in a shell i obtain :

C:\TOOLZ\Klister\klister-0.4\klister-0.4\bin>klister
klister 0.4, Joanna Rutkowska, 2003
determinig OS version... Windows 2000 Server [2195], SP4
opening device \\.\klister...
error: can't open device

whats wrong ? how can i list the hidden process ?

try these steps:

http://bagpuss.swan.ac.uk/comms/hxdef.htm

You Could try using GFI Landguard network scanner which you can get the latest trial software from http://www.gfi.com and is able to download from its server the latest defs.

Regards

Postman

Well, there is defently no rootkit on it:p i found all the files very easy, backdoor file,servudeamon, everything:P..
Well, yeah, i know, maybe some backdoor hidden by a rotkit, but i dont think so, and i think maybe this is a "1337" hacker, whit a private exploit, but when he speedtested, he just dident care, cus the lan is on a 0,5mbit line:P hehe...

and i did scan the pc many times, still i couldent find anything that could be exploited by the public exploits:P

The rootkit scan sayd no rootkits installed...

well, did all windows upgrades(exept sp2)and changed all passes and patched all other programs that was running, havent seen any new signs of hackers now:p

Thnx for all the tips and helps i got from u guys:)