Using F-Secure Rescue CD
When a machine is already infected with malware, you can not always
trust any antivirus software that is already running on that machine.
Malware will often interfere with the antivirus software, either
disabling it or crippling it in some way that it does not work or runs
extremely slowly. Sometimes, the antivirus software will keep picking up
the same file again and again. Sometimes the antivirus software will
detect nothing but reports from UCL CST or external sources indicate
that the machine is generating network traffic associated with malware.
This is usually when a root kit is present, which is hiding files and
processes from the antivirus software.
In these situations it is a good idea to boot from an antivirus live CD,
such as the F-Secure Rescue CD. Any root kits present will not run when
you boot from CD, so it is possible for them to be detected as they
cannot hide themselves.
Download the F-Secure Rescue CD and unzip the zip file which contains the user
guide and an ISO file which must then be burned to CD or DVD. When burning the
CD it is important to burn the file as an ‘image’ rather than just burning a normal
data CD. Most CD burning software has the option to burn an ISO file as an image.
Infrarecorder is an example of free software that can do this.
Once you have burned the CD image, reboot the computer with the CD in the drive.
You may have to press a key at an appropriate time in order to boot from the CD.
If the computer still boots into Windows normally, you may have to make
changes to the computer’s BIOS in order to boot from CD. The BIOS can
usually be accessed by pressing a key such Delete, F10 or F12 as soon as
the computer is switched on. The BIOS settings vary between different
computers, but there is usually an option called ‘Boot order’, ‘Boot
priority’ or something similar. The CD drive should be placed before
the hard drive in the boot order.
When the F-Secure Rescue CD boots, it will start uncompressing Linux and
boot the kernel. Please make sure that you are connected to the network.
Once the F-Secure Rescue CD is loaded, select Next and hit the ENTER
key. It will try to obtain an IP address via DHCP, it order to connect
to the internet to obtain the latest virus definition files. If it does
not automatically start updating the virus definition database, you will
need to put the latest virus definition files on a USB drive - see the
instructions below. Click Next to agree the end user license agreement.
At the next screen you get to select what to scan. It is recommended to
scan all drives. While the scan is ongoing, you can hit Alt+F5 key to
see details of files being scanned, Alt+F6 to see any malware found and
Ctrl+C to cancel scanning.
The F-Secure Rescue CD renames any files containing malware to a .virus
file extension. In the unlikely event that it renames a system file and
Windows will no longer start, you can use your Windows disk to repair
the operating system. If your computer is working fine after the scan,
simple do a search on all *.virus files and delete them.
F-Secure Rescue CD cannot scan encrypted disks. This includes, for
example, disk encrypted with TrueCrypt Full Disk Encryption or Windows
Vista BitLocker disk encryption.
Please note that if you do not have an internet connection or cannot
obtain an IP address automatically by DHCP, you should download the
Rescue CD virus definition updates to a USB drive. This USB drive must
be empty and 256mb or greater in size. Just download fsdbupdate9.run
and save it to the root directory of the USB drive. Insert the
USB flash drive to the infected computer, boot up using F-Secure Rescue
CD and follow the instructions.