F-Secure provides a free
rescue CD that you can use to boot a system and scan it for viruses.
This is very useful when a system is so infected it won't boot, runs
extremely slowly under Windows, crashes unexpectedly under Windows, or is
so badly infected that you don't want to boot into Windows to try and install
software to disinfect the system. The F-Secure Rescue-CD allows you to boot
into an alternate operating system. In this case the boot CD is a
Knoppix Linux LiveCD. The version 3.16
Rescue CD uses Linux Microknoppix 3.0.4
.
To use the software, download the ISO file and create a bootable CD from it using Nero or whatever other CD-burning software you may use that can create bootable CDs from .iso files. Then boot the system from the F-Secure Rescue CD. You will need to hit Enter at the initial Rescue CD screen or the system will boot into Microsoft Windows within 15 seconds.
F-Secure Rescue CD
< Start scan > < Proxy settings > <Restart computer>
If you select "Start Scan", which you can do by using the arrow keys or by Alt-S, the software will attempt to update its virus definition database over the network. If the system is connected to a network when you boot, it will attempt to obtain IP address information from a DHCP server. If the system has network access, it can update its virus definitions.
You may see the following at the point where it is updating the definitions:
Updating virus defintion database.
This could take some time, depending you your Internet connection
You will be then be prompted to agree to the End User License Agreement. You can use the up and down cursor keys or the page up and page down keys to scroll through the agreement. When you select "Next" at that screen, you are asked to confirm that you have read the License Terms and accept them. You are then prompted to select the drives you want to scan. You can toggle the selection of drives/partitions on/of by using the arrow keys to move to a drive/partition and then using the spacebar to select or deselect an entry. To accept the default selections, just choose "Start scan".
Scanning
Alt-F1 This screen. Alt-F5 To see details of files being scanned. Alt-F6 To see any malware found. Ctrl-C To cancel scanning. Scan started at Sat Mar 1 20:49:45 UTC 2014 with Database version: 2014-03-02_01. No malware found on Master Boot Records. Scanned Malware Progress 1300 0 ooooooooooooooooooooooooooooooooooooooo.........
At the conclusion of the scan you can view a report showing which files were deemed to be infected. Note: a scan may take many hours to complete, so you may need to run it overnight. A scan that I ran took 16 hours and 17 minutes.
Scanning
Alt-F1 This screen. Alt-F5 To see details of files being scanned. Alt-F6 To see any malware found. Ctrl-C To cancel scanning. Scan started at Sat Mar 1 20:49:45 UTC 2014 with Database version: 2014-03-02_01. No malware found on Master Boot Records. Scanned Malware Progress 14850 0 ....................................................find: 'mn t/scan/sda1/ProgamData/Paessler/PRTG Network Monitor/Log Database/Log Database 20140127.db': Input/output error 1463569 13 100% .................oooooooooooooooooooooooooooooooo Scan completed. Press Enter to see report.
When you hit Enter, you can view the scan report. You can scroll up and down through the report using the up and down arrow keys and you can scroll left and right to see the full directory path and file name for infected files using the left and right arrow keys.
The scan report will show which files F-Secure antivirus has determined were
infected and renamed. When the files are renamed, .virus
is appended to the end of the filename. Eg.
hda1/WINDOWS/Temp/DWHD117.tmp
would be renamed to
hda1/WINDOWS/Temp/DWHD117.tmp.virus
, if the antivirus software
deemed it to be infected.
You can also get a "virtual console" by using Alt-F2, Alt-F3, or Alt-F4. These keyboard shortcuts will allow you to obtain a shell prompt for the root account on the system where you can enter standard Linux commands. You can return to the scan results screen using Alt-F1.
If you wish to copy the file in which the results of the scan are stored,
you can do so, by hitting Ctrl-Alt-F2 to get a shell prompt. You can then
type cd /tmp
to change the working directory to the directory
where the F-Secure antivirus software stores its results. In that directory
you will find the following files:
mount_error_details.txt
mount_errors.txt
scan_count
scan_errors.txt
scan_log.txt
scan_results.txt
The results of the scan are stored in scan_results.txt
. You
can use less scan_results.txt
to view the contents of that
file. The up and down arrow keys can be used to move back and forth
through that file using the less
command.
You can see the results for every file checked by viewing
scan_log.txt
. Those that were deemed uninfected will have
clean
after their entries in the log files. If any problems
were encountered scanning particular files, you can find information on
the reason within scan_errors.txt
For hard drive partitions that were scanned, look
under /mnt/scan
with ls /mnt/scan
.
You should see something like
hda1
, sda1
, sda2
,
sdf1
, etc. If you see sdax
where
x
is a digit, such as 1 or 2, then the 1 and
2 represent partitions on the same drive, which is identified
as sda
. You can see what files are on a particular
partition by a command such as ls /mnt/scan/sda1
If you want to copy the scan files created during the scan of the
system from the temporary directory, which will disappear when the
system is rebooted, to the system's hard disk, you could create a
directory on the system's hard drive and copy them there. E.g.,
suppose sda1
corresponds to the C:
drive and I want to put the files in the C:\Temp
directory on the hard drive in a subdirectory called
F-Secure
. I could create the subdirectory with mkdir
/mnt/scan/sda1/Temp/F-Secure
. Note: since the rescue CD is a
Knoppix Linux LiveCD,
you need to be mindful that directory names are case-sensitive.
Temp
is not the same as TEMP
. You can use the
Linux ls
command to view directory contents, e.g. ls
/mnt/scan/sda1
. After creating the directory for the scan files,
I could copy scan_errors.txt
, scan_log.txt
,
and scan_results.txt
to it with cp scan*.txt
/mnt/scan/hda1/Temp/F-Secure/.
, allowing me to retain that
information after rebooting the system. There is a zip
command available, so you could also put the files in a zip file first, if
you wished, e.g. I could create a file f-secure_results.zip
with the command zip f-secure_results.zip scan*
and then move
that file to the /mnt/scan/sda1/Temp/F-Secure
directory with
the command below:
mv f-secure_results.zip /mnt/scan/sda1/Temp/F-Secure/.
A Secure Shell (SSH) client is available on the Rescue CD along with a secure copy (scp) program, so you can also copy the files to an SSH server with scp. E.g.:
scp scan*.txt jdoe@myserver.com:.
There is also a
File Transfer Protocol (FTP) client,
NcFTP
on the system which you could use to transfer the files to
an FTP server, if you wished. That FTP client program can
be started with the command ncftp
.
Another alternative is to start an SSH server from the Rescue CD so that you can log into the system remotely. For the steps to take to configure the system as an SSH server see Installing the SSH Server Service on Knoppix.
You can return to the Scan report screen with Alt-F1. When you continue you will have the opportunity to scan again or restart the computer.
Summary
< Scan again > <Restart computer>
Hitting Enter at this point will restart the computer.
F-Secure provides a
F-Secure Virus and Threat Descriptions page where you can search for
more details on malware it has found. When I scanned a Windows 7 system
using the F-Secure Rescue CD, I found the following in the
scan_results.txt
file:
sda1/ProgramData/n3DVgp33/n3DVgp33.exe: Infected: Gen:Variant.Delf.203 [Aquarius]
The file was identified as infected with Gen:Variant.Delf.203
.
I used the search tool available from the
F-Secure Virus and Threat Descriptions web page for informaton on the
malware. When I searched on "Variant.Delf.203", no information was returned,
but when I searched on "Delf.203", I saw a
Trojan:W32/Delf
page that identified the malware as
Trojan horse
malware with the following mention in regards to it.
Delf is a large family of malicious programs, many of which are associated with data theft.
Created: Sunday March 2, 2014