XL: How to Identify and Remove PLDT/CAR/SGV Macro Viruses
ID: Q176807
|
The information in this article applies to:
-
Microsoft Excel for Windows, versions 5.0, 5.0c
-
Microsoft Excel for Windows 95, versions 7.0, 7.0a
-
Microsoft Excel 97 for Windows
SUMMARY
In November 1997, Microsoft identified a new macro virus, the PLDT macro
virus, that infects workbooks in Microsoft Excel for Windows. This macro
virus is also known as PLDT97 or Laroux E.
In April 1998, Microsoft identified another new macro virus, the CAR
macro virus. And, in June 1998, Microsoft identified yet another new
macro virus, the SGV macro virus.
This article contains information about these macro viruses, including
how to tell when your workbooks have been infected and how to remove the
macro viruses from your workbooks.
MORE INFORMATIONGeneral Information About Macro Viruses
The PLDT, CAR, and SGV macro viruses are strains of the Laroux macro
virus, which was first identified in July 1996. For more information
about the Laroux macro virus, please see the following articles in the
Microsoft Knowledge Base:
Q154131
XL: Q&A About Excel Macro/Laroux Macro Virus
Q150990
WE1280: Virus Search Add-in
Q185101
XL: Information About Known Macro Viruses in Microsoft
Excel
Because of the design of the PLDT, CAR, and SGV macro viruses, they
cannot be detected or removed by the Microsoft Excel Virus Search add-in,
version 1.2, or the Microsoft Excel 97 Virus Search add-in, version 2.0.
The following section explains how to manually detect and remove these
macro viruses.
Detecting and Removing the PLDT, CAR, and SGV Macro Viruses
- If the PLDT macro virus has infected any of your workbooks, the
workbook Pldt.xls will be found in one of the following folders on
your computer:
C:\Excel\Xlstart
C:\Program Files\Microsoft Office\Office\Xlstart
Also, any workbooks that are infected by the macro virus will contain
a Visual Basic module called "pldt".
- If the CAR macro virus has infected any of your workbooks, the
workbook Car.xls will be found in one of the following folders on
your computer:
C:\Excel\Xlstart
C:\Program Files\Microsoft Office\Office\Xlstart
Also, any workbooks that are infected by the macro virus will contain
a Visual Basic module called "car".
- If the SGV macro virus has infected any of your workbooks, the
workbook Sgv.xls will be found in one of the following folders on
your computer:
C:\Excel\Xlstart
C:\Program Files\Microsoft Office\Office\Xlstart
Also, any workbooks that are infected by the macro virus will contain
a Visual Basic module called "sgv".
To remove the PLDT, CAR, and SGV macro viruses from your workbooks,
use the appropriate steps for your version of Excel.
In Microsoft Excel 97
- On the Tools menu, click Options. Click the General tab. Click the
Macro Virus Protection checkbox, and then click OK.
- Quit Microsoft Excel 97.
- Using Windows Explorer, go to the C:\Program Files\Microsoft
Office\Office\Xlstart folder.
- If it exists, select the file Pldt.xls. On the File menu, click
Delete. Click Yes if you are asked whether to move the file to the
Recycle Bin.
- If it exists, select the file Car.xls. On the File menu, click
Delete. Click Yes if you are asked whether to move the file to the
Recycle Bin.
- If it exists, select the file Sgv.xls. On the File menu, click
Delete. Click Yes if you are asked whether to move the file to the
Recycle Bin.
- Start Microsoft Excel 97.
- Open a workbook that you believe to be infected with the PLDT, CAR,
or SGV macro virus.
If you receive the following message
The workbook you are opening contains macros. Some macros may
contain viruses that could be harmful to your computer.
If you are sure this workbook is from a trusted source, click
'Enable Macros'. If you are not sure and want to prevent any
macros from running, click 'Disable Macros'.
click Disable Macros.
- On the Tools menu, point to Macro, and then click Visual Basic Editor.
- Click Project Explorer on the View menu to make sure the Project
Window is visible.
- In the Project window, click the plus sign (+) to the left of the
word "Modules" below the name of the workbook you just opened.
If a module named "pldt", "car", or "sgv" is listed, right-click the
module name. On the shortcut menu, click "Remove <module>". Click No
when you are asked whether to export the module.
- On the File menu, click Close And Return To Microsoft Excel.
- On the Format menu, click Style.
- In the Style Name list box, look for styles whose names contain
"pldt", "car", "sgv", or "laroux". If you see such a style listed,
select it. Then, click Delete. Repeat this step until no more such
styles remain.
- On the File menu, click Save. On the File menu, click Close.
- Repeat steps 8 through 15 for all workbooks that you believe to be
infected with the PLDT, CAR, or SGV macro virus.
Also, if any other workbooks, such as Personal.xls, are listed in the
Project window in the Visual Basic Editor, click the plus sign to the
left of the word Modules below each workbook's name. If any modules
named "pldt", "car", or "sgv" are displayed, right-click the module
name, and then click "Remove <module>" on the shortcut menu.
Until you are absolutely certain that the PLDT, CAR, and SGV macro viruses
have been completely removed from your computer, click Disable Macros
every time you open a workbook. If you open a workbook that contains the
PLDT, CAR, or SGV macro virus and click Enable Macros, the macro virus will
begin to infect your workbooks again.
NOTE: If you have exchanged workbooks with anyone else, you should alert
them to the possibility that their workbooks may also be infected by the
PLDT, CAR, or SGV macro virus.
In Microsoft Excel 5.0 or 7.0
- Quit Microsoft Excel.
- Using Windows Explorer, go to the Xlstart folder for your version of
Microsoft Excel.
- Select the file Pldt.xls, and click Delete on the File menu. Click Yes
if you are asked if you want to move the file to the Recycle Bin.
- Select the file Car.xls, and click Delete on the File menu. Click Yes
if you are asked if you want to move the file to the Recycle Bin.
- Select the file Sgv.xls, and click Delete on the File menu. Click Yes
if you are asked if you want to move the file to the Recycle Bin.
- Start Microsoft Excel.
- Open a workbook that you believe to be infected with the PLDT, CAR, or
SGV macro virus. As you open the workbook, hold down the SHIFT key;
this will prevent any Auto_Open macros in the workbook from running.
- On the Format menu, point to Sheet, and click Unhide. If "pldt",
"car", or "sgv" is listed in the Unhide Sheet list box, click it, and
then click OK.
- On the Edit menu, click Delete Sheet. Click OK to permanently delete
the sheet.
- On the Format menu, click Style.
- In the Style Name list box, look for styles whose names contain
"pldt", "car", "sgv", or "laroux". If you see such a style listed,
select it. Then, click Delete. Repeat this step until no more such
styles remain.
- On the File menu, click Save. On the File menu, click Close.
- Repeat steps 7 through 12 for all workbooks that you believe to be
infected with the PLDT, CAR, or SGV macro virus.
Also, if you have a personal macro workbook (Personal.xls), you may
need to unhide it (on the Window menu, click Unhide), perform steps 8
and 9, and then rehide the personal macro workbook (on the Window menu,
click Hide). When you quit Microsoft Excel, click Yes to save changes
to the personal macro workbook.
If you are uncertain as to whether or not a workbook is infected with the
PLDT, CAR, or SGV macro virus, hold down the SHIFT key while you open the
workbook, and then perform steps 8 through 10.
NOTE: If you have exchanged workbooks with anyone else, you should alert
them to the possibility that their workbooks may also be infected by the
PLDT, CAR, or SGV macro virus.
Using Third-party Anti-virus Software to Remove Macro Viruses
Some third-party anti-virus programs have developed updated signature files
that allow you to detect and remove macro viruses such as the PLDT, CAR,
and SGV macro viruses. For information about updated signature files, check
the Web site of the company that developed your anti-virus program.
The following are Web addresses for some commonly used anti-virus programs.
Manufacturer Web Address
----------------------------------------------------------
Symantec http://www.symantec.com/nav/index.html
Network Associates http://www.nai.com/asp_set/products/tvd/intro.asp
Command Software http://www.commandcom.com/html/products/fprot.html
Computer Associates http://www.cai.com/virusinfo/
Additional query words:
XL5 XL7 XL97 laroux.e pldt.xls car.xls cecilia sgv.xls
Keywords : kbdta xlloadsave KbVBA
Version : WINDOWS:5.0,5.0c,7.0,7.0a,97
Platform : WINDOWS
Issue type : kbprb
|