Severity scale  
  (70/100)

Donald Dick. How to Remove? (Uninstall Guide)

removal by - -   | Type: Remote Administration Tools
12
This RAT is a powerful hacking tool, used to control victim's PC remotely and collect vital user info by logging all keystrokes. The origination place is Russia. The client is written in Delphi programming language and the server in C. Many variants appeared from August 1999 to July 2004. The author of this pest is Badman Forever. The infection peaked in such countries as China, Italy, Portugal, Turkey, United Kingdom and United States. It affects Windows 9x, NT operating systems. Other versions can be found under such names as Donald Dick 1.5 Beta 3, Donald Dick 1.52, Donald Dick 1.53, Donald Dick 1.54, Donald Dick 1.55.

From the publisher:

" * under Windows95/98: HKLM\System\CurrentControlSet\Services\VxD\VMLDR
* under WindowsNT: HKLM\System\CurrentControlSet\Control\\Session Manager

Installation:

When distribution file is launched:
1. kills existing Dick server
2. extracts the following files into system directory:
under Windows95/98:
oleproc.exe
pnpmgr.pci
vmldr.vxd
under WindowsNT:
oleproc.exe
pmss.exe
bootexec.exe
3. modifies registry
under Windows95/98:
creates VMLDR subkey in HKLM\System\CurrentControlSet\Services\VxD;
creates necessary values in that subkey to load vmldr.vxd when
the system starts up;
under WindowsNT:
adds string "bootexec.exe" to the BootExecute value in the subkey
HKLM\System\CurrentControlSet\Control\\Session Manager
4. creates PData0 and PData1 parameters with values
'D',0,'0','x','9','0','1','5' and
'D',0','2','3','4','7','7'
5. extracts plugins:
jpegcomp.dll (full version only)
6. spawns oleproc.exe



Loading:

1. Dick loader is launched by windows:
NT:
bootexec.exe, at the blue screen time
loader creates the service to be launched later;
the executable file of the service is oleproc.exe
95/98:
vmldr.vxd, init order is SHELL_INIT_ORDER+10
loader calls Win32 ShellExecute service to spawn oleproc.exe;
this VxD also may be loaded dynamically to perform thread management
functions
2. oleproc.exe (launched by loader, installer or manually) kills
existing Dick server, copies itself to:
under WindowsNT:
pmss.exe
under Windows95/98:
pnpmgr.pci
and launches it;
this is done to keep executable file closed to allow upgrades;
during upgrade oleproc.exe is replaced by the new file and that file
is launched immediately
3. pmss.exe under WindowsNT:
stops oleproc.exe service and removes it (unfortunately, you may see
this service for a short time if you quickly log on and open 'services'
applet in the control panel)
pnpmgr.pci under Windows95/98:
hides itself

at the end of this process pmss.exe or pnpmgr.pci is the Donald Dick server" Donald Dick properties:
• Allows remote user connection
• Hides from the user
• Stays resident in background

It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use. By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
Do it now!
Download
Reimage - remover Happiness
Guarantee
Compatible with Microsoft Windows
What to do if failed?
If you failed to remove infection using Reimage Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Donald Dick. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Reimage is recommended to uninstall Donald Dick. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Not using OS X? Download a remover for Windows.
Press Mentions on Reimage
Alternate Software
Alternate Software
Plumbytes
We are testing Plumbytes's efficiency (2006-02-06 21:02)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency (2006-02-06 21:02)
Hitman Pro
Webroot SecureAnywhere AntiVirus

Donald Dick manual removal

Kill processes:
\\system\\otl32.exe, backdoor.donalddick.153.exe, client.exe, ddc152.exe, ddc153.exe, ddc15a.exe, ddcg152.exe, ddcw.exe, ddick.exe, dds153.exe, ddsetup.exe, ddsfind.exe, ddsl15a.exe, install.exe, msaver.exe, mssupd.exe, multiple156.exe, recover.exe, [system, root]\\system\\oleproc.exe
Unregister DLLs:
[system root]\\system\\jpegcomp.dll

Delete files:
!exedef \\system\\otl32.exe, array.c, array.h, backdoor.donalddick.153.exe, chat.c, client.exe, clmain.c, context.inc, cracker.ws.txt, ddc152.exe, ddc153.exe, ddc15a.exe, ddcg152.exe, ddcw.exe, ddick.exe, dds153.exe, ddsetup.c, ddsetup.exe, ddsetup.ini, ddsetup.lnk, ddsetup.rc, ddsfind.c, ddsfind.exe, ddsfind.lnk, ddsl15a.exe, dick.c, dick.diz, dick.lnk, dick.rc, executive.c, executive.h, executive_shots.c, executive_sysspec.c, file_id.diz, funccodes.h, hddkill.asm, install.c, install.exe, installer.c, itable2.inc, jpegcomp.c, keycode.txt, lzwcomp.c, makefile mem.c, more msaver.c, msaver.exe, mssupd.c, mssupd.exe, multiple156.exe, network.c, network.h, network2.c, options.c, paths.c, paths.h, pe.c, pe.h, peloader.asm, rand.c, rand.c1, readme.txt, readme_c.txt, readme_s.txt, recover.c, recover.exe, registry.c, registry.h, rsa.h, rsa.obj, sm.c, sm.c1, sm.h, sm.inc, sm2.c, smdata.c, smdebug.c, smint.h, smloader.asm, smtables.asm, stdlib.c, stdlib.h, stringlist.c, switches.h, syslogsender.c, [system root]\\system\\jpegcomp.dll, [system root]\\system\\oleproc.exe, [system root]\\system\\pnpmgr.pci, [system root]\\system\\vmldr.vxd, toolhelp.c, vxxxd.asm

Geolocation of Donald Dick

Map reveals the prevalence of Donald Dick. Countries and regions that have been affected the most are: United States and United Kingdom.

Information updated:

Comments on Donald Dick

Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name



«

(All fields are required)