F-Secure Rescue CD 3.16

F-Secure provides a free rescue CD that you can use to boot a system and scan it for viruses. This is very useful when a system is so infected it won't boot, runs extremely slowly under Windows, crashes unexpectedly under Windows, or is so badly infected that you don't want to boot into Windows to try and install software to disinfect the system. The F-Secure Rescue-CD allows you to boot into an alternate operating system. In this case the boot CD is a Knoppix Linux LiveCD. The version 3.16 Rescue CD uses Linux Microknoppix 3.0.4.

To use the software, download the ISO file and create a bootable CD from it using Nero1x1 px or whatever other CD-burning software you may use that can create bootable CDs from .iso files. Then boot the system from the F-Secure Rescue CD. You will need to hit Enter at the initial Rescue CD screen or the system will boot into Microsoft Windows within 15 seconds.

F-Secure Rescue CD

F-Secure Rescue CD

F-Secure Rescue CD scans your computer.

The scanning process tries to disinfect all files that contain
If a file cannot be disinfected, it is renamed.
Warning! If a Windows system file is infected the computer may not

Select 'Start scan' and press Enter to scan the computer.

If you connect to the Internet through a proxy, select 'Proxy settings' before you start.

To use this tool:
Press Space to select or clear checkboxes
Use the arrow keys to move between elements
Press Enter to confirm the selection

< Start scan >    < Proxy settings >    <Restart computer>

If you select "Start Scan", which you can do by using the arrow keys or by Alt-S, the software will attempt to update its virus definition database over the network. If the system is connected to a network when you boot, it will attempt to obtain IP address information from a DHCP server. If the system has network access, it can update its virus definitions.

You may see the following at the point where it is updating the definitions:

Updating virus defintion database.
This could take some time, depending you your Internet connection

You will be then be prompted to agree to the End User License Agreement. You can use the up and down cursor keys or the page up and page down keys to scroll through the agreement. When you select "Next" at that screen, you are asked to confirm that you have read the License Terms and accept them. You are then prompted to select the drives you want to scan. You can toggle the selection of drives/partitions on/of by using the arrow keys to move to a drive/partition and then using the spacebar to select or deselect an entry. To accept the default selections, just choose "Start scan".


Alt-F1  This screen.
Alt-F5  To see details of files being scanned.
Alt-F6  To see any malware found.
Ctrl-C  To cancel scanning.

Scan started at Sat Mar  1 20:49:45 UTC 2014
with Database version: 2014-03-02_01.

No malware found on Master Boot Records.

Scanned  Malware   Progress
   1300        0   ooooooooooooooooooooooooooooooooooooooo.........

At the conclusion of the scan you can view a report showing which files were deemed to be infected. Note: a scan may take many hours to complete, so you may need to run it overnight. A scan that I ran took 16 hours and 17 minutes.


Alt-F1  This screen.
Alt-F5  To see details of files being scanned.
Alt-F6  To see any malware found.
Ctrl-C  To cancel scanning.

Scan started at Sat Mar  1 20:49:45 UTC 2014
with Database version: 2014-03-02_01.

No malware found on Master Boot Records.

Scanned  Malware   Progress
  14850        0   ....................................................find: 'mn
t/scan/sda1/ProgamData/Paessler/PRTG Network Monitor/Log Database/Log Database
20140127.db': Input/output error
 1463569        13  100%  .................oooooooooooooooooooooooooooooooo

Scan completed. Press Enter to see report.

When you hit Enter, you can view the scan report. You can scroll up and down through the report using the up and down arrow keys and you can scroll left and right to see the full directory path and file name for infected files using the left and right arrow keys.

The scan report will show which files F-Secure antivirus has determined were infected and renamed. When the files are renamed, .virus is appended to the end of the filename. Eg. hda1/WINDOWS/Temp/DWHD117.tmp would be renamed to hda1/WINDOWS/Temp/DWHD117.tmp.virus, if the antivirus software deemed it to be infected.

You can also get a "virtual console" by using Alt-F2, Alt-F3, or Alt-F4. These keyboard shortcuts will allow you to obtain a shell prompt for the root account on the system where you can enter standard Linux commands. You can return to the scan results screen using Alt-F1.

If you wish to copy the file in which the results of the scan are stored, you can do so, by hitting Ctrl-Alt-F2 to get a shell prompt. You can then type cd /tmp to change the working directory to the directory where the F-Secure antivirus software stores its results. In that directory you will find the following files:


The results of the scan are stored in scan_results.txt. You can use less scan_results.txt to view the contents of that file. The up and down arrow keys can be used to move back and forth through that file using the less command.

You can see the results for every file checked by viewing scan_log.txt. Those that were deemed uninfected will have clean after their entries in the log files. If any problems were encountered scanning particular files, you can find information on the reason within scan_errors.txt

For hard drive partitions that were scanned, look under /mnt/scan with ls /mnt/scan. You should see something like hda1, sda1, sda2, sdf1, etc. If you see sdax where x is a digit, such as 1 or 2, then the 1 and 2 represent partitions on the same drive, which is identified as sda. You can see what files are on a particular partition by a command such as ls /mnt/scan/sda1

If you want to copy the scan files created during the scan of the system from the temporary directory, which will disappear when the system is rebooted, to the system's hard disk, you could create a directory on the system's hard drive and copy them there. E.g., suppose sda1 corresponds to the C: drive and I want to put the files in the C:\Temp directory on the hard drive in a subdirectory called F-Secure. I could create the subdirectory with mkdir /mnt/scan/sda1/Temp/F-Secure. Note: since the rescue CD is a Knoppix Linux LiveCD, you need to be mindful that directory names are case-sensitive. Temp is not the same as TEMP. You can use the Linux ls command to view directory contents, e.g. ls /mnt/scan/sda1. After creating the directory for the scan files, I could copy scan_errors.txt, scan_log.txt, and scan_results.txt to it with cp scan*.txt /mnt/scan/hda1/Temp/F-Secure/., allowing me to retain that information after rebooting the system. There is a zip command available, so you could also put the files in a zip file first, if you wished, e.g. I could create a file f-secure_results.zip with the command zip f-secure_results.zip scan* and then move that file to the /mnt/scan/sda1/Temp/F-Secure directory with the command below:

mv f-secure_results.zip /mnt/scan/sda1/Temp/F-Secure/.

A Secure Shell (SSH) client is available on the Rescue CD along with a secure copy (scp) program, so you can also copy the files to an SSH server with scp. E.g.:

scp scan*.txt jdoe@myserver.com:.

There is also a File Transfer Protocol (FTP) client, NcFTP on the system which you could use to transfer the files to an FTP server, if you wished. That FTP client program can be started with the command ncftp.

Another alternative is to start an SSH server from the Rescue CD so that you can log into the system remotely. For the steps to take to configure the system as an SSH server see Installing the SSH Server Service on Knoppix.

You can return to the Scan report screen with Alt-F1. When you continue you will have the opportunity to scan again or restart the computer.

Scan report


No malware found on Master Boot Records.

The computer was scanned. All files still containing malware are

Scan is now complete. The computer will be restarted.

< Scan again >      <Restart computer>

Hitting Enter at this point will restart the computer.


F-Secure provides a F-Secure Virus and Threat Descriptions page where you can search for more details on malware it has found. When I scanned a Windows 7 system using the F-Secure Rescue CD, I found the following in the scan_results.txt file:

sda1/ProgramData/n3DVgp33/n3DVgp33.exe: Infected: Gen:Variant.Delf.203 [Aquarius]

The file was identified as infected with Gen:Variant.Delf.203. I used the search tool available from the F-Secure Virus and Threat Descriptions web page for informaton on the malware. When I searched on "Variant.Delf.203", no information was returned, but when I searched on "Delf.203", I saw a Trojan:W32/Delf page that identified the malware as Trojan horse malware with the following mention in regards to it.

Delf is a large family of malicious programs, many of which are associated with data theft.


TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Sunday March 2, 2014