WOW, that Hogfly is some technician. I don't think the question is clear. Are you trying to determine if the machine is compromised or are you trying to learn who compromised the machine and find them?
One leads to the other. I would watch the network from a clean machine and evaluate the traffic to and from. Record open ports and look into the suspected traffic. If your on a switch, you'll need a SPAN port, if its a hub, just use tcpdump and isolate the IP you would like to watch.
Hope this makes sense and is correct.
HI HOG!!!!!!! REMEMBER ME?