Microsoft KB Archive/176807

From BetaArchive Wiki

Article ID: 176807

Article Last Modified on 8/17/2005



APPLIES TO

  • Microsoft Excel 97 Standard Edition
  • Microsoft Excel 95 Standard Edition
  • Microsoft Excel 5.0 Standard Edition



This article was previously published under Q176807


SUMMARY

In November 1997, Microsoft identified a new macro virus, the PLDT macro virus, that infects workbooks in Microsoft Excel for Windows. This macro virus is also known as PLDT97 or Laroux E.

In April 1998, Microsoft identified another new macro virus, the CAR macro virus. And, in June 1998, Microsoft identified yet another new macro virus, the SGV macro virus.

This article contains information about these macro viruses, including how to tell when your workbooks have been infected and how to remove the macro viruses from your workbooks.

MORE INFORMATION

General Information About Macro Viruses

The PLDT, CAR, and SGV macro viruses are strains of the Laroux macro virus, which was first identified in July 1996. For more information about the Laroux macro virus, please click the article numbers below to view the articles in the Microsoft Knowledge Base:

154131 XL: Q&A About Excel Macro/Laroux Macro Virus

150990 XL: How to Use the Virus Search Add-in for Microsoft Excel (WE1280)

185101 XL: Information About Known Macro Viruses in Microsoft Excel


Because of the design of the PLDT, CAR, and SGV macro viruses, they cannot be detected or removed by the Microsoft Excel Virus Search add-in, version 1.2, or the Microsoft Excel 97 Virus Search add-in, version 2.0. The following section explains how to manually detect and remove these macro viruses.

How to Detect and Remove the PLDT, CAR, and SGV Macro Viruses

  • If the PLDT macro virus has infected any of your workbooks, the workbook Pldt.xls or Results.xls will be found in one of the following folders on your computer:

    C:\Excel\Xlstart

    C:\Program Files\Microsoft Office\Office\Xlstart

    Also, any workbooks that are infected by the macro virus will contain a Visual Basic module called pldt.
  • If the CAR macro virus has infected any of your workbooks, the workbook Car.xls will be in one of the following folders on your computer:

    C:\Excel\Xlstart

    C:\Program Files\Microsoft Office\Office\Xlstart

    Also, any workbooks that are infected by the macro virus will contain a Visual Basic module called car.
  • If the SGV macro virus has infected any of your workbooks, the workbook Sgv.xls will be in one of the following folders on your computer:

    C:\Excel\Xlstart

    C:\Program Files\Microsoft Office\Office\Xlstart

    Also, any workbooks that are infected by the macro virus will contain a Visual Basic module called sgv.

To remove the PLDT, CAR, and SGV macro viruses from your workbooks, use the appropriate steps for your version of Excel.

In Microsoft Excel 97

  1. On the Tools menu, click Options. Click the General tab. Click the Macro Virus Protection check box, and then click OK.
  2. Quit Microsoft Excel 97.
  3. Using Windows Explorer, go to the C:\Program Files\Microsoft Office\Office\Xlstart folder.
  4. If the Pldt.xls file exists, select it. On the File menu, click Delete. Click Yes if you are asked whether to move the file to the Recycle Bin.
  5. If the Car.xls file exists, select it. On the File menu, click Delete. Click Yes if you are asked whether to move the file to the Recycle Bin.
  6. If the Sgv.xls file exists, select it. On the File menu, click Delete. Click Yes if you are asked whether to move the file to the Recycle Bin.
  7. Start Microsoft Excel 97.
  8. Open a workbook that you believe to be infected with the PLDT, CAR, or SGV macro virus.

    If you receive the following message

    The workbook you are opening contains macros. Some macros may contain viruses that could be harmful to your computer.

    If you are sure this workbook is from a trusted source, click 'Enable Macros'. If you are not sure and want to prevent any macros from running, click 'Disable Macros'.

    click Disable Macros.
  9. On the Tools menu, point to Macro, and then click Visual Basic Editor.
  10. Click Project Explorer on the View menu to make sure the Project window is visible.
  11. In the Project window, click the plus sign (+) to the left of the word "Modules" below the name of the workbook you just opened.

    If a module named "pldt", "car", or "sgv" is listed, right-click the module name. On the shortcut menu, click Remove <module>. Click No when you are asked whether to export the module.
  12. On the File menu, click Close And Return To Microsoft Excel.
  13. On the Format menu, click Style.
  14. In the Style name" list, look for styles whose names contain "pldt", "car", "sgv", or "laroux". If you see such a style listed, select it. Then, click Delete. Repeat this step until no more such styles remain. You can also use a macro to reset a workbook to its default styles. For additional information about resetting workbook styles, click the article number below to view the article in the Microsoft Knowledge Base:

    247982 XL: How to Programmatically Reset a Workbook to Default Styles

  15. On the File menu, click Save. On the File menu, click Close.
  16. Repeat steps 8 through 15 for all workbooks that you think are infected with the PLDT, CAR, or SGV macro virus.

    Also, if any other workbooks, such as Personal.xls, are listed in the Project window in the Visual Basic Editor, click the plus sign to the left of the word "Modules" below each workbook's name. If any modules named "pldt", "car", or "sgv" are displayed, right-click the module name, and then click Remove <module> on the shortcut menu.

Until you are absolutely certain that the PLDT, CAR, and SGV macro viruses have been completely removed from your computer, click Disable Macros every time you open a workbook. If you open a workbook that contains the PLDT, CAR, or SGV macro virus and click Enable Macros, the macro virus will begin to infect your workbooks again.

NOTE: If you have exchanged workbooks with anyone else, you should alert them to the possibility that their workbooks may also be infected by the PLDT, CAR, or SGV macro virus.

In Microsoft Excel 5.0 or 7.0

  1. Quit Microsoft Excel.
  2. Using Windows Explorer, go to the Xlstart folder for your version of Microsoft Excel.
  3. Select the file Pldt.xls, and click Delete on the File menu. Click Yes if you are asked if you want to move the file to the Recycle Bin.
  4. Select the file Car.xls, and click Delete on the File menu. Click Yes if you are asked if you want to move the file to the Recycle Bin.
  5. Select the file Sgv.xls, and click Delete on the File menu. Click Yes if you are asked if you want to move the file to the Recycle Bin.
  6. Start Microsoft Excel.
  7. Open a workbook that you believe to be infected with the PLDT, CAR, or SGV macro virus. As you open the workbook, hold down the SHIFT key; this will prevent any Auto_Open macros in the workbook from running.
  8. On the Format menu, point to Sheet, and click Unhide. If "pldt", "car", or "sgv" is listed in the Unhide Sheet list box, click it, and then click OK.
  9. On the Edit menu, click Delete Sheet. Click OK to permanently delete the sheet.
  10. On the Format menu, click Style.
  11. In the Style Name list, look for styles whose names contain "pldt", "car", "sgv", or "laroux". If you see such a style listed, select it. Then, click Delete. Repeat this step until no more such styles remain. You can also use a macro to reset a workbook to its default styles. For additional information about resetting workbook styles, click the article number below to view the article in the Microsoft Knowledge Base:

    247982 XL: How to Programmatically Reset a Workbook to Default Styles

  12. On the File menu, click Save. On the File menu, click Close.
  13. Repeat steps 7 through 12 for all workbooks that you think are infected with the PLDT, CAR, or SGV macro virus.

    Also, if you have a personal macro workbook (Personal.xls), you may need to unhide it (on the Window menu, click Unhide), perform steps 8 and 9, and then rehide the personal macro workbook (on the Window menu, click Hide). When you quit Microsoft Excel, click Yes to save changes to the personal macro workbook.

If you are uncertain as to whether or not a workbook is infected with the PLDT, CAR, or SGV macro virus, hold down the SHIFT key while you open the workbook, and then perform steps 8 through 10.

NOTE: If you have exchanged workbooks with anyone else, you should alert them to the possibility that their workbooks may also be infected by the PLDT, CAR, or SGV macro virus.

Using Third-party Antivirus Software to Remove Macro Viruses

Some third-party antivirus programs have developed updated signature files that allow you to detect and remove macro viruses such as the PLDT, CAR, and SGV macro viruses. For information about updated signature files, check the Web site of the company that developed your antivirus program.

The following are Web addresses for some commonly used antivirus programs.

   Manufacturer        Web Address
   ----------------------------------------------------------

   Symantec            http://www.symantec.com/nav/index.html
   Network Associates  http://www.nai.com/asp_set/products/tvd/intro.asp
                          
   Command Software    http://www.commandcom.com/html/products/fprot.html
   Computer Associates http://www.cai.com/virusinfo/ 
                


Additional query words: XL5 XL7 XL97 laroux.e pldt.xls car.xls cecilia sgv.xls XL

Keywords: kbprb KB176807