.Pahad Virus


.Pahad is a virus program that blackmails users for access to their data. Initially, .Pahad secretly sneaks inside the computer of the targeted victim and then launches a data-encryption process, which blocks access to the targeted user data.

.pahad virus

The .pahad virus file encryption

Upon finishing with the encryption, viruses like .Pahad create a text file and place it on the Desktop of the infected machine or within the folders where the encrypted files are stored. The text in the file informs the virus’ victim about the reason behind their inability to access their data, namely the encryption process that has just taken place. The note also tells the user that if they want to bring their files back, they would have to send money to a given cryptocurrency wallet. In other words, if the victims of .Pahad wish to be able to open and use their personal files again, they must pay a ransom. This blackmailing scheme is extremely common nowadays and there is a whole category of computer viruses known as Ransomware that are known for implementing it.

The .Pahad virus

The .Pahad virus is a hazardous malware infection that could lead to loss of important data because it restricts access to the files of its victims. The .Pahad virus requires a ransom payment from the victims in order to make the files accessible again.

Unlike other more conventional forms of malware, such as Trojan horses, that could severely damage the infected computer, most Ransomware viruses do not directly threaten the health of the infected system or that of the targeted files. Ransomware locks the user’s data but it doesn’t do much else. This means that users who do not have any highly important data on their computers or ones who have extensive backups of their most valuable files shouldn’t be that severely impacted by a potential Ransomware attack. On the other hand, however, if you don’t have file backups and the data which the Ransomware has managed to lock is very important to you, such a situation could be particularly unpleasant and lead to some dire consequences.

The one thing to remember if Ransomware has attacked you is to try to remain calm and to never rush towards the ransom payment in hopes that this will bring your data back. Even if some users manage to return their files by sending the ransom to the blackmailers, there is no guarantee that you won’t simply be wasting your money if you do the same – the chance of recovering your data after paying is always there, as you can never really trust the hackers behind the Ransomware.

The .Pahad file encryption

The .Pahad file encryption is a process that uses an advanced data-locking algorithm through which the targeted files become inaccessible. The .Pahad file encryption has a unique key for each computer infected by the virus which is needed to unlock the files.

The hackers want you to “purchase” the key for your computer from them by sending them the ransom amount, but we advise against doing that. Instead, we suggest that you try the removal guide we have on this page to remove .Pahad and then head to the alternative file recovery methods added to it.


Name .Pahad
Type Ransomware
Data Recovery Tool Not Available
Detection Tool

Remove .Pahad Ransomware


First, you must find and stop the process (or processes) that are related to .Pahad. To do this, start the Task Manager (Ctrl + Shift + Esc) and select the Processes tab. The virus process should be listed in there but it would likely go under a different name so you must be watchful and carefully explore the entries in the processes list. You should be looking for a process that is consuming most of your computer’s RAM and Processing (CPU) power and has an odd name that you don’t recognize or can link to any of the programs that are open on the computer at the moment.

If you suspect a particular process, it is important to rule out the possibility of it being a regular OS process so we suggest looking up online. If it is an OS process, it should come up in the results. If it is not, you may even find search resutls confirming that the process is indeed related to a virus.


After you have confirmed that the suspected process is not a legitimate OS one, you must go to it in the Task Manager, right-click on it, and select the Open File Location option. This will bring you to a folder where the process’ files are stored. Those files must be scanned for malicious code – use the free scanner below and/or your own antivirus program.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    If malware is found in any of the files from that folder, this would further confirm that the process in question is malicious. In such a case, right-click on that process again and then select the End Process Tree button.

    Finally, delete the folder (File Location) of the malicious process. If there’s an error message when you try to delete the folder that tells you some of the files in it cannot be removed, enter the folder, delete all the files that you are allowed to remove, and go to the next steps from this guide. After you’ve completed them all, return to the File Location folder and try to delete it again.



    Reboot your PC into Safe Mode to keep any other Ransomware processes that you may have missed from running on your computer. You can find information on how to boot into Safe Mode from the guide on this page.


    Your next task is to clear the startup entries on your computer – those are items (programs, apps, services, etc.) that are automatically started with Windows. To establish its presence on your system and operate at all times, the Ransomware may have added its own entry to the list of startup items on your computer. To see that list and remove from it anything that may be linked to .Pahad, go to the Start Menu, type System Configuration, hit Enter, and, from the next window, select the Startup tab.

    In that tab, you will see a list with startup items, and you must remove from it anything that seems sketchy, unfamiliar, or unreliable. To remove an item, remove the tick from its checkbox and then click on Apply. We suggest that you also remove any items with Unknown manufacturers except for those of them that you trust.msconfig_opt

    Once you are finished removing startup items, click on OK and proceed with the next step.


    Type/copy-paste this under the Start Menu “notepad %windir%/system32/Drivers/etc/hosts” (remove the quotes) and click on the first icon from the results. See at the bottom of the text in the file (Hosts) that opens if there’s anything written below Localhost. Under normal circumstances, there should be nothing there. However, most forms of malware and even some legitimate programs tend to make changes to the Hosts file by adding different lines (usually IP addresses) under Localhost. hosts_opt (1)

    To determine if any lines below Localhost in your Hosts file are from the virus, we must have a look at what’s written there, so we advise you to copy everything that’s below Localhost and send it to us in the comments. We will have a look at the lines you’ve sent us and tell you if you need to do anything about them.


    Important!: This next step requires you to delete malware items from the Registry of your computer. However, sometimes it may be difficult to tell if a Registry item is from a virus and since there are lots of important system-related settings in the Registry you may end up accidentally deleting, it is important to always consult us via the comments ever time you are in doubt about whether something in your Registry needs to be deleted.

    Now, to access the Registry Editor, type regedit in the Start Menu and select the regedit.exe icon. If asked for Admin confirmation, click on Yes to provide it and to open the Registry Editor. Once in it, press Ctrl + F from the keyboard and type the name of the virus in the small search box. Then click on the Find Next button and see if anything gets found. If an item is found, click on it, press Del from your keyboard, and click on Yes to delete that item. Then select Find Next again to search for the next one and delete that one too. Rinse and repeat until nothing else with the name of the virus gets found in the Registry.

    Next, proceed with navigating to the following Registry locations by expanding the different folders from the sidebar of the Registry Editor (to the left).

    • HKEY_CURRENT_USER > Software
    • HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
    • HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main

    Once you get to each of these Registry locations, look in them for items that have overly long names that look like randomized strings of characters. If you see such an odd-looking folder, delete it. If you are unsure if a certain item is to be deleted, do not hesitate to ask us about it by hitting us up through the comments section.


    Finally, go to the Start Menu, copy-paste the first of the following lines in its search box, and hit Enter. A folder will open and in it you must sort the files by date and then delete the most recent one (all files created after .Pahad infected you). After you are done with the first folder, do the same with the other four and once you get to the Temp folder, delete all the files that are contained in it and not only the most recent ones.

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    The only remaining thing now is to delete the suspicious process File Location folder from Step 1 if you weren’t able to delete it earlier. Now that you have completed all of the other steps, you should now be able to remove that folder without problem.

    How to Decrypt .Pahad files

    After you have completed the guide from above and successfully removed .Pahad, you will have to find a way to restore the files that the virus has locked. Note that the removal of .Pahad will not automatically restore the access to your data. However, removing the virus is an important first step towards returning your files. If the malware is still on your computer, any files that you may manage to recover are likely to get encrypted all over again.

    Now, if you no longer have .Pahad on your computer, we suggest you go to our How to Decrypt Ransomware article where we have included and explained in detail several data-recovery methods you could try in order to bring back your encrypted files. Of course, the ransom payment is also an option but we do not recommend it as you simply cannot trust the criminals who have attacked you with .Pahad and have tried to blackmail you for the restoration of your files.

    Again, before you try any of the restoration methods, make sure the Ransomware threat is gone from your machine. If you need to, use our free online scanner to scan suspicious files on your computer and see if they are potentially linked to the malware.

    Final Notes

    Using the guide on this page, you should have no problem deleting the malicious .Pahad from your computer. Nevertheless, if you think or know that the threat is still lurking in your system even after completing the guide, we strongly recommend trying out the professional anti-malware tool that can be found linked on the current page. Not only can it locate and delete all kinds of malware from your computer, but it can also keep your system secure in the future and fend off other incoming threats.


    About the author


    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1