Hello,
I've used Rootkit Hacker Defender on my computer, and i've found :
Wrong Services :
*SV: Serv-U (Serv-U FTP Server) PATH: c:\winnt\system32\winmgnt.exe
*SV: tcp-ip (tcp-ip FTP Server) PATH: c:\winnt\system32\clspack32.exe
*SV: DS1410D (DS1410D) PATH: SYSTEM32\drivers\DS1410D.SYS

And :
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..( Found: 1 running rootkits)
-------------------------------------------------------------------------------
*ROOTKIT HACKER DEFENDER v1.0.0 IS INSTALLED IN YOUR HOST.
-------------------------------------------------------------------------------
-Searching for hxdef hooks............ ( Found: 1 running rootkits)
-------------------------------------------------------------------------------
*ROOTKIT HACKER DEFENDER >= v0.82 FOUND. Path not available

So ... i've been (filtered)...
I have disabled the three services, but i can't find the .exe, as i think, they have been hidden.

One of my friend has used Superscan, and he said to me that port 6600 and 16000 were opened. I've tried fport, and Opports but no port opened...

I've tried Ethereal, and i've seen that 6600 was used to connect and ircbot, like rbot to ssl irc, but i can't find any program name...

I need help... I think there is another way than to put some Live CD and boot on it...

Sorry for my english...
Thanks !

find a prog like kill.exe and kill the services

kill can't kill a services !!!
And if you don't know hacker defender rootkit, you can't find processes hidden by rootkit...

with Dameware NT Utilities the HXDEF Service isn't hidden. So you can remove the service. Good luck!

sorry if i cant help you with your problem but i have an other question:
which tool your using to detect rootkits on WIN systems?

like thisone:
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..( Found: 1 running rootkits)
-------------------------------------------------------------------------------
*ROOTKIT HACKER DEFENDER v1.0.0 IS INSTALLED IN YOUR HOST.
-------------------------------------------------------------------------------
-Searching for hxdef hooks............ ( Found: 1 running rootkits)

rkdetector is the tool he used to look for a rootkit.
neo, as already said use Dameware NT Utilities to look for non common services. Stop and remove them. when you try to stop the rootkit you will get a massage like "service doesnt respond to controll functions" after some time. thats fine, just wait a few minutes and after that use fport to see the servu and the rest of the programs running.

As it's been said, use Dameware, I once "infected" a friend comp with hxdef by mistake, and I had to use that to remove it totally

User another hxd, reboot and then rotkitdetector and kill them

there is another way to clean your system from hxdef-rootkit:

Boot windows into Rescue mode, do one of the following:

Insert the Windows OS Installation CD into the Drive.
Boot from the CD
Choose 'R' to enter the Rescue Console
Choose the Windows installation you want to Clean from the list presented to you.
Enter the Administrator Password.

Once in the recovery console, you have a few commands for this, including:

listsvc - lists services that can be enabled or disabled
enable <servicename> <start-type> - enables a service, with a service type,

SERVICE_DISABLED
SERVICE_BOOT_START
SERVICE_SYSTEM_START
SERVICE_AUTO_START
SERVICE_DEMAND


disable <servicename> - disables a service, but prints out the previous
start-type, which should be recorded in case you need to re-enable the
service.

You could try rkdetect, I like it

http://www.security.nnov.ru/files/rkdetect.zip

hxdef.exe -:uninstall has been mentioned, but I think if you grab a new hxdef and run that command I *believe* it will remove the actual rootkit...If not turn onfile/print sharing and connect to yourself with dameware, all files/services will be visible then...

good idea....also for administrator

Thanks for all responses but :
when i had post this i had used rkdetector, patchfinder 2 without any success, Opports, fport, dameware, without seeing any suspected services, i have killed this :

*SV: Serv-U (Serv-U FTP Server) PATH: c:\winnt\system32\winmgnt.exe
*SV: tcp-ip (tcp-ip FTP Server) PATH: c:\winnt\system32\clspack32.exe
*SV: DS1410D (DS1410D) PATH: SYSTEM32\drivers\DS1410D.SYS

but rootkit is here .
i've tried hxdef... :uninstall etc...
I've read how to mod hxdef to be undetectable, i've compiled mine but my KAV detects it, and not those which is installed.

use dameware from a remote machine to see the hidden services
this will work in any case
if you really find no strange service there is no rootkit installed

... or run your PC in "Safe Mode" and search for Rootkit files and Services.

hxdef infects safe mode as well so no use to try that
there are some good programs out there to remove rootkits

if I only know hxdef's process name,like hxdef.exe,but I don't know his service name,how can I remove the hxdef rootkit?
if I know service name,I can "net stop servicename" to stop the rootkit,but no like this tools to find the hide service name now.