Remove a virus module without opening excel file or enabling macro

gifariz

New Member
Joined
May 2, 2021
Messages
38
Office Version
  1. 365
Platform
  1. Windows
Hi, all. I have problem with virus in a form of excel VBA module spreading in our office. Particularly the virus name is "results", if anyone has ever know.
This virus module creates an excel file in deep C drive folder and keep creating new virus modules in all excel file that we open and save them as macro-enabled files.
I know how to remove the virus, by removing the virus module from the infected excel file, and delete the virus source in deep C drive folder manually.
But the problem is, whenever another infected file opened and macro is enabled, it will spread the virus again.

I know the macro for opening an excel file, and for removing a module (looks like below, not tested), but the virus will spread again if the infected file is opened and macro is enabled.
VBA Code:
Sub RemoveMacroIfExists()
    Dim MyFileName
    Dim MyPathName
    Dim MyModuleName As String
    Dim MyModule As Object
    
    'Below will be updated to be iterative
    PathName = Range("A2").Value
    Filename = Range("A1").Value
    MyModuleName = "results"
    
    Workbooks.Open Filename:=MyPathName & MyFileName
    Workbooks(MyFileName).Activate
    
    On Error Resume Next
    Set MyModule = ActiveWorkbook.VBProject.VBComponents(MyModuleName).CodeModule
    If Err.Number = 0 Then
        ActiveWorkbook.VBProject.VBComponents.Remove ActiveWorkbook.VBProject.VBComponents(MyModuleName)
    End If
    On Error GoTo 0
    
End Sub
So, I want to make a macro to check all xlsm files in our computer whether it contains a certain module and remove the module if found, without opening the excel file or without enabling the macro on that file.
Is that possible?

I want to make this macro because other employees just don't know anything about macro. So I cannot tell them how to remove the virus module & source manually and prevent future infection.
Thank you for reading and thank you in advance.
 

Excel Facts

Bring active cell back into view
Start at A1 and select to A9999 while writing a formula, you can't see A1 anymore. Press Ctrl+Backspace to bring active cell into view.

johnnyL

Well-known Member
Joined
Nov 7, 2011
Messages
3,819
Office Version
  1. 2016
  2. 2013
  3. 2007
Platform
  1. Windows
@gifariz, I think I might have some code that could be adapted for you.

Are all of the Excel .xlsm files located in one folder? If not, you mentioned 'computer', that is a large area to search, you will probably have to let me know a narrower search range.

The code that I have, that I think will be useful to you, after adapting it, looks at all files in the scope/macro names within/codes within. This could be used to compile a list of alleged 'infected' files.
 

johnnyL

Well-known Member
Joined
Nov 7, 2011
Messages
3,819
Office Version
  1. 2016
  2. 2013
  3. 2007
Platform
  1. Windows
... This virus module creates an excel file in deep C drive folder and keep creating new virus modules in all excel file that we open and save them as macro-enabled files.
I know how to remove the virus, by removing the virus module from the infected excel file, and delete the virus source in deep C drive folder manually.
But the problem is, whenever another infected file opened and macro is enabled, it will spread the virus again.

So, I want to make a macro to check all xlsm files in our computer whether it contains a certain module and remove the module if found, without opening the excel file or without enabling the macro on that file.
Is that possible?

@gifariz You didn't specify which 'deep C drive folder'/excel file would need to be deleted.

You also didn't specify which module the potential infected sub routine 'results' is located in. Does the module/location change? Do you want that entire module deleted or just the sub routine called 'results' deleted?

It sounds like you know exactly where the problems exist, but you haven't let us know so that we can assist you.
 

gifariz

New Member
Joined
May 2, 2021
Messages
38
Office Version
  1. 365
Platform
  1. Windows
@gifariz You didn't specify which 'deep C drive folder'/excel file would need to be deleted.

You also didn't specify which module the potential infected sub routine 'results' is located in. Does the module/location change? Do you want that entire module deleted or just the sub routine called 'results' deleted?

It sounds like you know exactly where the problems exist, but you haven't let us know so that we can assist you.
Hi, sorry for my late response, thank you for your response.
If you have some code samples, I can try to modify the code. For example, the file location can be a variable I can fill out later.

But to be clear again, there are two things I need to do here, but only second one that I cannot do:
1. Deleting virus source file. Not deleting the module/sub-routine.
The deep C virus source is "C:\Users\AppData\Roaming\Microsoft\Excel\XLSTART\RESULTS.xlsm".
This is not the problem in this thread. I have separate working sub-routine for deleting this file, no problem.
2. Removing "results" module from infected files.
Everytime a clean xls file is opened, the virus source will create a "results" module in this file and save this file as xlsm, thus become an infected file.
Then, everytime an infectime file is opened and macro is enabled, then the "results" module will create a new source file in deep C drive.
Therefore, opening the infected file or runnung the macro here are unfavorable because the virus can spread again this way.
And I want to delete the module (not sub-routine, not the file).

Thank you.
 

johnnyL

Well-known Member
Joined
Nov 7, 2011
Messages
3,819
Office Version
  1. 2016
  2. 2013
  3. 2007
Platform
  1. Windows
I think you may have terms confused, so please post again what you want to do after I explain some things.

You said the 'deep C virus source' is not an issue & you can handle that so I will not address that.

Are you dealing with a module called 'results? Normally modules contain Subroutines/Functions which would be named 'results' in your case. Are you saying that you want to look for a module that is actually called 'results' & delete that entire module & all of the Subroutines/Functions within that module called 'results'?
 
Last edited:

johnnyL

Well-known Member
Joined
Nov 7, 2011
Messages
3,819
Office Version
  1. 2016
  2. 2013
  3. 2007
Platform
  1. Windows
I already have code that searches for every module & the subroutines.Functions within them. If you are truly just looking for module names, I could easily remove the extra checks for the subroutines/functions checks.

Let me know.
 

gifariz

New Member
Joined
May 2, 2021
Messages
38
Office Version
  1. 365
Platform
  1. Windows
I already have code that searches for every module & the subroutines.Functions within them. If you are truly just looking for module names, I could easily remove the extra checks for the subroutines/functions checks.

Let me know.
I mention the virus source in C folder just for explaining the situation, because the virus source file is created by "results" module from infected file, and the virus source file is infecting other file by making new "results" module to any opened file. It is to explain that opening an infected file or enabling macro of infected file is unfavorable.

My above code in post works for removing module. But it needs to open the infected file, so the virus spreads again. What I need is removing the module without opening an infected file or enabling macro of infected file. The module name is exactly "results", it is not sub name.
 

johnnyL

Well-known Member
Joined
Nov 7, 2011
Messages
3,819
Office Version
  1. 2016
  2. 2013
  3. 2007
Platform
  1. Windows
That is where you are losing me. A module name does not execute code. The procedures within a module might.
 

johnnyL

Well-known Member
Joined
Nov 7, 2011
Messages
3,819
Office Version
  1. 2016
  2. 2013
  3. 2007
Platform
  1. Windows
The following should do what you stated that you want it to do:

VBA Code:
Sub RemoveSpecificModulesV1()
'
' Delete entire Module, You will have to Enable VBTrust in the Trusted security center
'
'
' This script will search all '.xlsm' files in a chosen folder for all modules
'
' It opens all .xlsm files, in the folder chosen, in 'ReadOnly' mode.
' Enable events are turned off while running this script. This prevents Workbook_Open & Workbook_BeforeClose from executing.
'
' It will delete a set module, if found, and save the workbook after the code has been deleted.
'
' I'm not aware of anything else that can be added to reduce chance of nefarious code from executing while executing this script.
'
    Dim SelectedFolder          As FileDialog, SelectedFolderPath   As String
'
    Set SelectedFolder = Application.FileDialog(msoFileDialogFolderPicker)                  ' Save the selected folder
        SelectedFolder.AllowMultiSelect = False                                             '   Multiple Selected folders = False
        SelectedFolder.Title = "Select a folder to search for excel files."                 '   Establish the title for the 'Select Folder' dialog box
'
    If SelectedFolder.Show = -1 Then                                                        ' Display the dialog box
        SelectedFolderPath = SelectedFolder.SelectedItems(1) & "\"                          '   Append "\" to the folder path selected
    End If
'
    If SelectedFolderPath = "" Then Exit Sub                                                ' If User cancelled folder selection, exit sub
'
'-------------------------------------------------------------------------------------------
'
    Dim ExcelFolder             As Object, File                     As Object
    Dim FSO                     As Object
    Dim VBCodeModule            As Object, VBComp                   As Object, VBProj               As Object
    Dim ModuleToDelete          As String
    Dim Wbk                     As Workbook
'
    ModuleToDelete = "results"                                                              ' <--- set this to the module that you want to delete
'
    Application.ScreenUpdating = False                                                      ' Turn off ScreenUpdating
      Application.EnableEvents = False                                                      ' Disable triggered macros
'
    Set FSO = CreateObject("Scripting.FileSystemObject")
    Set ExcelFolder = FSO.GetFolder(SelectedFolderPath)
'
'-------------------------------------------------------------------------------------------
'
    For Each File In ExcelFolder.Files                                                      ' Loop through files in the selected folder
        If LCase(Right(File.Name, 5)) = ".xlsm" Then                                        '   If .xlsm file found then ...
            On Error Resume Next                                                            '       Ignore errors if open workbook fails
            Set Wbk = Workbooks.Open(SelectedFolderPath & File.Name, False, True)           '       Open the Found workbook,Don't update links, Read only
            On Error GoTo 0                                                                 '       Return error handling back to Excel
'
            Set VBProj = Application.Workbooks(File.Name).VBProject                         '
'
'-------------------------------------------------------------------------------------------
'
            For Each VBComp In VBProj.VBComponents                                          '       Loop through every module in the workbook
                Set VBCodeModule = VBComp.CodeModule                                        '           Save the current module being looked at
'
                If VBCodeModule = ModuleToDelete Then                                       '           If Module is what we want to delete then ...
                    VBProj.VBComponents.Remove VBProj.VBComponents(ModuleToDelete)          '               Delete the module
                    DoEvents
'
                    Wbk.ChangeFileAccess Mode:=xlReadWrite                                  '               Change workbook to Read/Write mode to save it
                    Wbk.Save                                                                '               Save the workbook that had the module deleted
                    Wbk.ChangeFileAccess Mode:=xlReadOnly                                   '               Change workbook back to ReadOnly mode
                End If
            Next                                                                            '       Loop back for next module in workbook
        End If
'
        On Error Resume Next
        Wbk.Close SaveChanges:=False                                                        '       Close workbook without saving it
        On Error GoTo 0
    Next                                                                                    ' Loop back for next excel workbook
'
    Set VBCodeModule = Nothing
          Set VBComp = Nothing
          Set VBProj = Nothing
'
      Application.EnableEvents = True                                                       ' Turn EnableEvents back on
    Application.ScreenUpdating = True                                                       ' Turn ScreenUpdating back on
MsgBox "All modules with the designated name of '" & ModuleToDelete & "' have been deleted from the .xlsm files in " & SelectedFolderPath
End Sub
 
Solution

gifariz

New Member
Joined
May 2, 2021
Messages
38
Office Version
  1. 365
Platform
  1. Windows
Thank you very much for your much effort. I didn't expect a fully working code, a sample code of important lines would've been fine, amazing thank you.
I am now in vacation, I will try it next week, I will let you know the update, but I will mark your code as solution nevertheless.
 

Forum statistics

Threads
1,176,090
Messages
5,901,352
Members
434,887
Latest member
zoath

We've detected that you are using an adblocker.

We have a great community of people providing Excel help here, but the hosting costs are enormous. You can help keep this site running by allowing ads on MrExcel.com.
Allow Ads at MrExcel

Which adblocker are you using?

Disable AdBlock

Follow these easy steps to disable AdBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the icon in the browser’s toolbar.
2)Click on the "Pause on this site" option.
Go back

Disable AdBlock Plus

Follow these easy steps to disable AdBlock Plus

1)Click on the icon in the browser’s toolbar.
2)Click on the toggle to disable it for "mrexcel.com".
Go back

Disable uBlock Origin

Follow these easy steps to disable uBlock Origin

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back

Disable uBlock

Follow these easy steps to disable uBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back
Top