How to | marcmaynard.exe Virus Removal Guide

Marcmaynard.exe is a malware. It is W32.Dranyam which is a worm that spreads by copying itself to removable drives such as USB flash drives.

Related files are as follows:
%DriveLetter%\autorun.inf
%DriveLetter%\MarcMaynard.exe
%UserProfile%\Administrator\Desktop\hi.txt
%Windir%\Help\services.exe
%Windir%\Help\svchost.exe

Marcmaynard.exe creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}

It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\
"StubPath" = "C:\WINDOWS\Help\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\
"StubPath" = "C:\WINDOWS\Help\services.exe"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
"Window Title" = "«×¤‡ M•ä•R•Ç † m•Á•ÿ•Ñ•â•R•Ð ‡¤×»"

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\
MUICache\c:\INF\snd\9406607\"Copy of 1.exe" = "Copy of 1"

The executable file modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\"Userinit" = "userinit.exe, services.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\"Hidden" = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"

The worm creates the following registry entry so that it changes the browser home page:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Main\"Start Page" = "M•ä•R•Ç † m•Á•ÿ•Ñ•â•R•Ð"

It copies itself as the following file on all the drives of the compromised computer:
%DriveLetter%\MarcMaynard.exe

It creates the following file on each drive so that it executes whenever the drive is accessed, which is similar to Long Live Sowar Virus:

%DriveLetter%\autorun.inf
How to Remove marmaynard.exe
    1. Install Process Explorer and run it.
    2. Find "marcmaynard.exe" that is actively running in the process.
    3. Right click then select Kill Process Tree.
    4. ProceXp will ask you “Are you sure you want to kill marcmaynard.exe and its descendants?”
    5. Select yes then Restart.
    6. If the WORM still remains after RESTART, try repeating the whole process again.
Recommended Removal Tools: Process Explorer, HijackThis
Source

To delete the value from the registry(make sure to backup your registry before modifications)
  • Click Start \ Run.
  • Type "regedit" (w/o the quotes)
  • Click OK. If the virus has modified the registry to prevent access to the registry editor, use Remove Restrictions Tool 2. Continue.
  • Delete these registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
  • Delete these registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\
"StubPath" = "C:\WINDOWS\Help\svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\
"StubPath" = "C:\WINDOWS\Help\services.exe"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Main\"Window Title" = "«×¤‡ M•ä•R•Ç † m•Á•ÿ•Ñ•â•R•Ð ‡¤×»"

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\
MUICache\c:\INF\snd\9406607\"Copy of 1.exe" = "Copy of 1"
  • If needed, rename these registry entries to their original values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\"Userinit" = "userinit.exe,services.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\"Hidden" = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\"HideFileExt" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\"ShowSuperHidden" = "0"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Main\"Start Page" = "M•ä•R•Ç † m•Á•ÿ•Ñ•â•R•Ð"
  • Exit the Registry Editor.