F-Secure provides a free
rescue CD that you can use to boot a system and scan it for viruses.
This is very useful when a system is so infected it won't boot, runs
extremely slowly under Windows, crashes unexpectedly under Windows, or is
so badly infected that you don't want to boot into Windows to try and install
software to disinfect the system. The F-Secure Rescue-CD allows you to boot
into an alternate operating system. In this case the boot CD is a
Knoppix Linux LiveCD. The version 3.16
Rescue CD uses
Linux Microknoppix 3.0.4.
To use the software, download the ISO file and create a bootable CD from it using Nero or whatever other CD-burning software you may use that can create bootable CDs from .iso files. Then boot the system from the F-Secure Rescue CD. You will need to hit Enter at the initial Rescue CD screen or the system will boot into Microsoft Windows within 15 seconds.
If you select "Start Scan", which you can do by using the arrow keys or by Alt-S, the software will attempt to update its virus definition database over the network. If the system is connected to a network when you boot, it will attempt to obtain IP address information from a DHCP server. If the system has network access, it can update its virus definitions.
You may see the following at the point where it is updating the definitions:
Updating virus defintion database.
This could take some time, depending you your Internet connection
You will be then be prompted to agree to the End User License Agreement. You can use the up and down cursor keys or the page up and page down keys to scroll through the agreement. When you select "Next" at that screen, you are asked to confirm that you have read the License Terms and accept them. You are then prompted to select the drives you want to scan. You can toggle the selection of drives/partitions on/of by using the arrow keys to move to a drive/partition and then using the spacebar to select or deselect an entry. To accept the default selections, just choose "Start scan".
Alt-F1 This screen. Alt-F5 To see details of files being scanned. Alt-F6 To see any malware found. Ctrl-C To cancel scanning. Scan started at Sat Mar 1 20:49:45 UTC 2014 with Database version: 2014-03-02_01. No malware found on Master Boot Records. Scanned Malware Progress 1300 0 ooooooooooooooooooooooooooooooooooooooo.........
At the conclusion of the scan you can view a report showing which files were deemed to be infected. Note: a scan may take many hours to complete, so you may need to run it overnight. A scan that I ran took 16 hours and 17 minutes.
Alt-F1 This screen. Alt-F5 To see details of files being scanned. Alt-F6 To see any malware found. Ctrl-C To cancel scanning. Scan started at Sat Mar 1 20:49:45 UTC 2014 with Database version: 2014-03-02_01. No malware found on Master Boot Records. Scanned Malware Progress 14850 0 ....................................................find: 'mn t/scan/sda1/ProgamData/Paessler/PRTG Network Monitor/Log Database/Log Database 20140127.db': Input/output error 1463569 13 100% .................oooooooooooooooooooooooooooooooo Scan completed. Press Enter to see report.
When you hit Enter, you can view the scan report. You can scroll up and down through the report using the up and down arrow keys and you can scroll left and right to see the full directory path and file name for infected files using the left and right arrow keys.
The scan report will show which files F-Secure antivirus has determined were
infected and renamed. When the files are renamed,
is appended to the end of the filename. Eg.
hda1/WINDOWS/Temp/DWHD117.tmp would be renamed to
hda1/WINDOWS/Temp/DWHD117.tmp.virus, if the antivirus software
deemed it to be infected.
You can also get a "virtual console" by using Alt-F2, Alt-F3, or Alt-F4. These keyboard shortcuts will allow you to obtain a shell prompt for the root account on the system where you can enter standard Linux commands. You can return to the scan results screen using Alt-F1.
If you wish to copy the file in which the results of the scan are stored,
you can do so, by hitting Ctrl-Alt-F2 to get a shell prompt. You can then
cd /tmp to change the working directory to the directory
where the F-Secure antivirus software stores its results. In that directory
you will find the following files:
mount_error_details.txt mount_errors.txt scan_count scan_errors.txt scan_log.txt scan_results.txt
The results of the scan are stored in
less scan_results.txt to view the contents of that
file. The up and down arrow keys can be used to move back and forth
through that file using the
You can see the results for every file checked by viewing
scan_log.txt. Those that were deemed uninfected will have
clean after their entries in the log files. If any problems
were encountered scanning particular files, you can find information on
the reason within
For hard drive partitions that were scanned, look
You should see something like
sdf1, etc. If you see
x is a digit, such as 1 or 2, then the 1 and
2 represent partitions on the same drive, which is identified
sda. You can see what files are on a particular
partition by a command such as
If you want to copy the scan files created during the scan of the
system from the temporary directory, which will disappear when the
system is rebooted, to the system's hard disk, you could create a
directory on the system's hard drive and copy them there. E.g.,
sda1 corresponds to the
drive and I want to put the files in the
directory on the hard drive in a subdirectory called
F-Secure. I could create the subdirectory with
/mnt/scan/sda1/Temp/F-Secure. Note: since the rescue CD is a
Knoppix Linux LiveCD,
you need to be mindful that directory names are case-sensitive.
Temp is not the same as
TEMP. You can use the
ls command to view directory contents, e.g.
/mnt/scan/sda1. After creating the directory for the scan files,
I could copy
scan_results.txt to it with
/mnt/scan/hda1/Temp/F-Secure/., allowing me to retain that
information after rebooting the system. There is a
command available, so you could also put the files in a zip file first, if
you wished, e.g. I could create a file
with the command
zip f-secure_results.zip scan* and then move
that file to the
/mnt/scan/sda1/Temp/F-Secure directory with
the command below:
mv f-secure_results.zip /mnt/scan/sda1/Temp/F-Secure/.
A Secure Shell (SSH) client is available on the Rescue CD along with a secure copy (scp) program, so you can also copy the files to an SSH server with scp. E.g.:
scp scan*.txt email@example.com:.
There is also a
File Transfer Protocol (FTP) client,
on the system which you could use to transfer the files to
an FTP server, if you wished. That FTP client program can
be started with the command
Another alternative is to start an SSH server from the Rescue CD so that you can log into the system remotely. For the steps to take to configure the system as an SSH server see Installing the SSH Server Service on Knoppix.
You can return to the Scan report screen with Alt-F1. When you continue you will have the opportunity to scan again or restart the computer.
Hitting Enter at this point will restart the computer.
F-Secure provides a
F-Secure Virus and Threat Descriptions page where you can search for
more details on malware it has found. When I scanned a Windows 7 system
using the F-Secure Rescue CD, I found the following in the
sda1/ProgramData/n3DVgp33/n3DVgp33.exe: Infected: Gen:Variant.Delf.203 [Aquarius]
The file was identified as infected with
I used the search tool available from the
F-Secure Virus and Threat Descriptions web page for informaton on the
malware. When I searched on "Variant.Delf.203", no information was returned,
but when I searched on "Delf.203", I saw a
page that identified the malware as
malware with the following mention in regards to it.
Delf is a large family of malicious programs, many of which are associated with data theft.
Created: Sunday March 2, 2014