XL: How to Identify and Remove PLDT/CAR/SGV Macro Viruses

ID: Q176807


The information in this article applies to:
  • Microsoft Excel for Windows, versions 5.0, 5.0c
  • Microsoft Excel for Windows 95, versions 7.0, 7.0a
  • Microsoft Excel 97 for Windows


SUMMARY

In November 1997, Microsoft identified a new macro virus, the PLDT macro virus, that infects workbooks in Microsoft Excel for Windows. This macro virus is also known as PLDT97 or Laroux E.

In April 1998, Microsoft identified another new macro virus, the CAR macro virus. And, in June 1998, Microsoft identified yet another new macro virus, the SGV macro virus.

This article contains information about these macro viruses, including how to tell when your workbooks have been infected and how to remove the macro viruses from your workbooks.


MORE INFORMATION

General Information About Macro Viruses

The PLDT, CAR, and SGV macro viruses are strains of the Laroux macro virus, which was first identified in July 1996. For more information about the Laroux macro virus, please see the following articles in the Microsoft Knowledge Base:
Q154131 XL: Q&A About Excel Macro/Laroux Macro Virus

Q150990 WE1280: Virus Search Add-in

Q185101 XL: Information About Known Macro Viruses in Microsoft Excel
Because of the design of the PLDT, CAR, and SGV macro viruses, they cannot be detected or removed by the Microsoft Excel Virus Search add-in, version 1.2, or the Microsoft Excel 97 Virus Search add-in, version 2.0. The following section explains how to manually detect and remove these macro viruses.

Detecting and Removing the PLDT, CAR, and SGV Macro Viruses

  • If the PLDT macro virus has infected any of your workbooks, the workbook Pldt.xls will be found in one of the following folders on your computer:
    C:\Excel\Xlstart

    C:\Program Files\Microsoft Office\Office\Xlstart
    Also, any workbooks that are infected by the macro virus will contain a Visual Basic module called "pldt".


  • If the CAR macro virus has infected any of your workbooks, the workbook Car.xls will be found in one of the following folders on your computer:
    C:\Excel\Xlstart

    C:\Program Files\Microsoft Office\Office\Xlstart
    Also, any workbooks that are infected by the macro virus will contain a Visual Basic module called "car".


  • If the SGV macro virus has infected any of your workbooks, the workbook Sgv.xls will be found in one of the following folders on your computer:
    C:\Excel\Xlstart

    C:\Program Files\Microsoft Office\Office\Xlstart
    Also, any workbooks that are infected by the macro virus will contain a Visual Basic module called "sgv".


To remove the PLDT, CAR, and SGV macro viruses from your workbooks, use the appropriate steps for your version of Excel.

In Microsoft Excel 97

  1. On the Tools menu, click Options. Click the General tab. Click the Macro Virus Protection checkbox, and then click OK.


  2. Quit Microsoft Excel 97.


  3. Using Windows Explorer, go to the C:\Program Files\Microsoft Office\Office\Xlstart folder.


  4. If it exists, select the file Pldt.xls. On the File menu, click Delete. Click Yes if you are asked whether to move the file to the Recycle Bin.


  5. If it exists, select the file Car.xls. On the File menu, click Delete. Click Yes if you are asked whether to move the file to the Recycle Bin.


  6. If it exists, select the file Sgv.xls. On the File menu, click Delete. Click Yes if you are asked whether to move the file to the Recycle Bin.


  7. Start Microsoft Excel 97.


  8. Open a workbook that you believe to be infected with the PLDT, CAR, or SGV macro virus. If you receive the following message
    The workbook you are opening contains macros. Some macros may contain viruses that could be harmful to your computer.

    If you are sure this workbook is from a trusted source, click 'Enable Macros'. If you are not sure and want to prevent any macros from running, click 'Disable Macros'.
    click Disable Macros.


  9. On the Tools menu, point to Macro, and then click Visual Basic Editor.


  10. Click Project Explorer on the View menu to make sure the Project Window is visible.


  11. In the Project window, click the plus sign (+) to the left of the word "Modules" below the name of the workbook you just opened.

    If a module named "pldt", "car", or "sgv" is listed, right-click the module name. On the shortcut menu, click "Remove <module>". Click No when you are asked whether to export the module.


  12. On the File menu, click Close And Return To Microsoft Excel.


  13. On the Format menu, click Style.


  14. In the Style Name list box, look for styles whose names contain "pldt", "car", "sgv", or "laroux". If you see such a style listed, select it. Then, click Delete. Repeat this step until no more such styles remain.


  15. On the File menu, click Save. On the File menu, click Close.


  16. Repeat steps 8 through 15 for all workbooks that you believe to be infected with the PLDT, CAR, or SGV macro virus.

    Also, if any other workbooks, such as Personal.xls, are listed in the Project window in the Visual Basic Editor, click the plus sign to the left of the word Modules below each workbook's name. If any modules named "pldt", "car", or "sgv" are displayed, right-click the module name, and then click "Remove <module>" on the shortcut menu.


Until you are absolutely certain that the PLDT, CAR, and SGV macro viruses have been completely removed from your computer, click Disable Macros every time you open a workbook. If you open a workbook that contains the PLDT, CAR, or SGV macro virus and click Enable Macros, the macro virus will begin to infect your workbooks again.

NOTE: If you have exchanged workbooks with anyone else, you should alert them to the possibility that their workbooks may also be infected by the PLDT, CAR, or SGV macro virus.

In Microsoft Excel 5.0 or 7.0

  1. Quit Microsoft Excel.


  2. Using Windows Explorer, go to the Xlstart folder for your version of Microsoft Excel.


  3. Select the file Pldt.xls, and click Delete on the File menu. Click Yes if you are asked if you want to move the file to the Recycle Bin.


  4. Select the file Car.xls, and click Delete on the File menu. Click Yes if you are asked if you want to move the file to the Recycle Bin.


  5. Select the file Sgv.xls, and click Delete on the File menu. Click Yes if you are asked if you want to move the file to the Recycle Bin.


  6. Start Microsoft Excel.


  7. Open a workbook that you believe to be infected with the PLDT, CAR, or SGV macro virus. As you open the workbook, hold down the SHIFT key; this will prevent any Auto_Open macros in the workbook from running.


  8. On the Format menu, point to Sheet, and click Unhide. If "pldt", "car", or "sgv" is listed in the Unhide Sheet list box, click it, and then click OK.


  9. On the Edit menu, click Delete Sheet. Click OK to permanently delete the sheet.


  10. On the Format menu, click Style.


  11. In the Style Name list box, look for styles whose names contain "pldt", "car", "sgv", or "laroux". If you see such a style listed, select it. Then, click Delete. Repeat this step until no more such styles remain.


  12. On the File menu, click Save. On the File menu, click Close.


  13. Repeat steps 7 through 12 for all workbooks that you believe to be infected with the PLDT, CAR, or SGV macro virus.

    Also, if you have a personal macro workbook (Personal.xls), you may need to unhide it (on the Window menu, click Unhide), perform steps 8 and 9, and then rehide the personal macro workbook (on the Window menu, click Hide). When you quit Microsoft Excel, click Yes to save changes to the personal macro workbook.


If you are uncertain as to whether or not a workbook is infected with the PLDT, CAR, or SGV macro virus, hold down the SHIFT key while you open the workbook, and then perform steps 8 through 10.

NOTE: If you have exchanged workbooks with anyone else, you should alert them to the possibility that their workbooks may also be infected by the PLDT, CAR, or SGV macro virus.

Using Third-party Anti-virus Software to Remove Macro Viruses

Some third-party anti-virus programs have developed updated signature files that allow you to detect and remove macro viruses such as the PLDT, CAR, and SGV macro viruses. For information about updated signature files, check the Web site of the company that developed your anti-virus program.

The following are Web addresses for some commonly used anti-virus programs.


   Manufacturer        Web Address
   ----------------------------------------------------------

   Symantec            http://www.symantec.com/nav/index.html
   Network Associates  http://www.nai.com/asp_set/products/tvd/intro.asp
                          
   Command Software    http://www.commandcom.com/html/products/fprot.html
   Computer Associates http://www.cai.com/virusinfo/  

Additional query words: XL5 XL7 XL97 laroux.e pldt.xls car.xls cecilia sgv.xls

Keywords : kbdta xlloadsave KbVBA
Version : WINDOWS:5.0,5.0c,7.0,7.0a,97
Platform : WINDOWS
Issue type : kbprb


Last Reviewed: July 16, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.