Plam File Locker - How to remove

Plam is ransomware – a malware infection that breaks your files by encrypting them. The harm Plam causes can be devastating. Especially as, if you didn’t have backups, there’s no easy way to fix the broken files.

In addition, Plam installs adware and spyware, which bring their own problems – they can cause more malware infections. Before getting your data back, it’s important to remove Plam and all other malware.

About Plam ransomware:

Threat type	Ransomware, trojan.
Plam infection symptoms	Files cannot be opened, file names are changed with a new extension being added, ransom notes are left in some folders, excessive ads appear in web browsers.
How to recover the lost data	Restore from backups, use the decryption tool, use file recovery programs, repair the files.
How to remove Plam ransomware	Fix your hosts file and other settings, find and remove all malware with antivirus programs (such as Spyhunter), protect your personal information.

How Plam ransomware works

Installed with other malware

Plam ransomware is a type of Djvu ransomware, together with Pola, Wbxd, and many other examples.

You can recognize its infection by a few features:

• Many of your files can’t be opened. They have blank pages as icons and “plam” as a second extension.
• Files called “_readme.txt” are left in many folders. They contain a message from the criminals responsible for the Plam attack.
• Excessive ads in your browsers.
• Some websites don’t open.
• Task manager doesn’t open.

Plam ransomware might come with pirated software or any free program that’s infected with a malicious downloader. And it’s very likely that other malware besides the Plam ransomware is also installed. For instance, Djvu has been known to install the AzoRult trojan – an info stealer.

Can you get your data back?

Backups and free decryption

Ransomware like Plam relies on secure encryption to make sure that the victims can’t fix their files without contacting the criminals and paying for the decryption tools.

There’s no free solution (except for a rare exception). In the rare cases where your version of Plam failed to go online, it’s possible that your decryption key is shared with a few other victims of this ransomware. Then, it’s possible that you can get your files decrypted for free. Read more on Emsisoft.com.

But it’s unlikely for anyone to get so “lucky”. This is why it’s so important to have backups – so that you can restore your data from them in case of a ransomware attack or a hardware failure.

It’s also important to avoid scammers – people who promise to fix your files for a fee. There’s no miracle cure for Plam ransomware, so be careful of anyone who makes unrealistic promises.

Other methods

Even if you don’t have backups of your data, there are a few other ways to restore it. Only maybe, and only some of the data, and not easily at all. I don’t want to get your hopes up.

File recovery programs can be used to bring back deleted files. It’s never a sure thing and it depends on your circumstances (such as how long it’s been since the files were lost). It might also require you to have additional storage devices. Prepare very carefully before attempting to bring back files, but don’t delay.

File repair programs and services might also help. One of the things that help Plam be so fast and effective is that it doesn’t bother encrypting whole files, but only portions that are enough to break them. Some data in those files is left unencrypted and a professional might be able to restore some of it. Keep the files that Plam encrypted somewhere on a backup – you can get to them later.

How to remove Plam ransomware

Use antivirus programs to scan your computer and find and delete all malware. Not just Plam ransomware, but also any adware and spyware that was likely installed with it. Use an antivirus program that you trust (like Spyhunter) and make sure that you’re using a version with the latest updates. Since Plam might have disabled your antivirus or even deleted some of its files.

Below are the instructions for repairing your hosts file (since Plam edits it) and using safe mode to remove malware. You might also need to repair your Task Manager.

Once you’re sure that Plam and other malware are all gone, it’s advised to reset passwords. Spyware infections might steal private data such as usernames and passwords that are saved in your online apps (web browsers and others). I’ve seen some victims of Djvu ransomware say that they had their accounts hacked after the infection. To avoid this happening to you, it’s enough to reset your passwords and make sure that you’re using 2FA where possible (Two-Factor Authentication: Who Has It and How to Set It Up).

Important -- edit the hosts file to unblock security websites

TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.

Find and edit the hosts file

The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.

1. In the Start Menu, search for Control Panel.
2. In the Control Panel, find Appearance and Personalization.
3. Select Folder Options.
4. Open the View tab.
5. Open Advanced settings.
6. Select "Show hidden files...".
7. Select OK.

Open this file with administrator privileges.

1. Open the Start Menu and enter "notepad".
2. When Notepad shows up in the result, right-click on it.
3. In the menu, choose "Run as administrator"
4. File->Open and browse for the hosts file.

The hosts file should look like this: Delete additional lines that they connect various domain names to the wrong IP address. Save the file.

Download and run the antivirus program

After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).

Automatic Malware removal tools

How to recover Plam File Locker encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Plam File Locker has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Plam File Locker

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Plam File Locker. You can check other tools here.  

Step 3. Restore Plam File Locker affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Plam File Locker tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Plam File Locker encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.