.Pass is computer malware used for blackmailing the attacked users – it locks the victim’s files and it doesn’t release them unless a BitCoin ransom payment is made. .Pass uses military-grade encryption to ensure no one can open the locked data.
The Ransomware cryptoviruses are computer threats that are programmed to silently place all the personal user files in a given machine under a lockdown through the use of a military-grade encryption algorithm. The only reliable way of getting through that encryption is by using the correct decryption key that gets generated by the Ransomware once during the encryption process. However, that key is on the hackers’ computer, and they won’t give it to you unless you pay them money for it. This blackmailing for a ransom payment is the main reason threats like .Pass get created. The users attacked by viruses of this type are forced to choose between spending a large amount of money (oftentimes the sum is in the thousands) to restore their files or being left with no way of accessing the encrypted data. Here, on this site, our job is to help you find the best solution for this problem and minimize the consequences of the attack from this insidious virus. We must warn you, though, that full recovery of the data may not always be an option. Even the ransom payment can’t guarantee that your files will be restored!
The .Pass virus
The .Pass virus is a malware program that targets Windows computers, aiming to encryption-lock the files in them. The goal of the .Pass virus is to make the computer’s user pay a certain amount of money in BitCoins for the decryption key.
The first thing we must tell you about file recovery is that having a backup of your locked files can pretty much nullify the effects of the Ransomware threat. However, there is one very important thing to remember here – you MUST NOT connect any of your external devices with backups on them to your computer if the virus is still present there. Should you do that, you will likely get your backups encrypted too, and thus kill your best chance of making our data accessible again. If you need help removing .Pass, you should take a look at the guide included in the current page – the instructions and the anti-malware tool you will find in it will help you with the quick elimination of the Ransomware.
The .Pass file extension
The .Pass file extension is the unique extension that this Ransomware uses when encrypting the files of its victims. The .Pass file extension can’t be removed and the normal extension can’t be restored unless you use the corresponding decryption key.
The biggest problem most users face when they get attacked by malware is their lack of backups. If you are in this situation and have no data backups on other devices, cloud storages, or in any of your online accounts, then recovering your data may indeed be quite difficult, and, in some cases, not possible for all of the files. Some users that don’t have backups might even consider paying the ransom, but we must warn you that if you go for this course of action, you will spend a very big amount of money with no guarantee about whether you will be given the correct key that can unseal your files. This is why we strongly recommend to first give a try to the alternatives we have prepared for you in the second part of our guide. There, you will find several suggestions that are free to try and might allow you to restore some of your important files. Also, even if none of our suggestions yield satisfactory results, paying should still only be considered if the files that the Ransomware has locked are so important that they’d be worth the money you spend to decrypt them and the risk of getting said money wasted for nothing. Then, and only then, could the ransom payment be considered a viable option.
|Data Recovery Tool||Not Available|
Some threats reinstall themselves if you don't delete their core files. We recommend downloading SpyHunter to remove harmful programs for you. This may save you hours and ensure you don't harm your system by deleting the wrong files.
Remove .Pass Virus
To remove the .Pass virus, the attacked user should first delete any potentially harmful programs, then quit the malware processes, and find and delete remaining Ransomware data.
- Open the Programs and Features list, check it for potentially rogue programs, and uninstall the items you deem unwanted.
- Search the Task Manager for processes that may be linked to the virus and quit them.
- Visit the following five folders and delete from them any malware data: AppData, LocalAppData, ProgramData, WinDir, and Temp.
- Search the Registry of your PC for items created by the Ransomware and delete them to remove the .Pass virus.
If you need a more in-depth explanation of the steps above, you will find it down below.
Begin by searching for Programs and Features in the Start Menu and clicking the first shown icon in the search results. Then proceed to explore the list of programs, trying to find anything that may be linked to .Pass. Pay special attention to the entries added just before the Ransomware revealed itself on your computer. If you find anything sketchy, delete it by selecting it from the list and clicking Uninstall from the top of the window. Then follow the uninstallation wizard steps, making sure that everything related to the suspicious program gets deleted.
WARNING! READ CAREFULLY BEFORE PROCEEDING!
The next thing to do is visit the Task Manager by pressing the Ctrl. Shift, and Esc keys on your keyboard. Open the Processes section of the Task Manager and there look at what processes are active at the moment. Usually, Ransomware processes need a lot of CPU and RAM memory to function so focus on the most resource-intensive processes and see if among them there are ones with questionable and suspicious-looking names.
If you see any sketchy processes, use Google, Bing, or another reputable search engine to find more information about them. If there are any posts on trusted websites that say the process you searched for may be malicious, right-click on its entry in the Task Manager, go to the File Location of the process, and check the files in that folder for malicious code by scanning them with the free online scanner that you will find right below.
Upon finishing the scan, and if any of the files are flagged as threats, right-click again on the process, and then click on End Process. After that, delete whatever’s in the file location folder and then the folder itself. If you aren’t allowed to complete the deletion of any of the files, delete the rest, and come back later, once the other steps are completed, to delete the remaining files.
Restart your computer into Safe Mode so that even if you didn’t manage to quit any Ransomware processes during the last step, they won’t be running in the system when you are completing the rest of this guide.
Once you enter Safe Mode, press together the Winkey and R key and copy-paste the next line in the Run window that shows up on the screen:
If Windows asks you about what program you want to use to open the file, click on Notepad and when the file opens, see what’s written at the end of the text in it. If the last thing written is “Localhost”, then there’s nothing else to do here, and you should proceed to the next step.
If, there are other lines of text or any IP addresses below “Localhost”, you must copy them and paste them in the comments. Once we see them, we will tell you if you should delete them from your Hosts file.
Important Warning!: This step involves opening the Registry Editor and deleting items from it. You should only delete what you are certain is from the virus. In case you are unsure about one or more items, first ask us about them in the comments instead of outright deleting them or else you may cause damage to your system!
One way to launch the Registry Editor is to type regedit in the start menu, click on the regedit.exe icon, and select Yes when you are asked for Admin approval.
When the Registry Editor opens, select Edit > Find and type the virus name in the search box. Then begin the search and delete whatever gets found. Keep repeating the search and deleting the found items until there aren’t any more results for the virus’ name.
The next thing you must do is find the following three folders in the left side of the Registry Editor and search them for sub-folders with odd names that seem longer than the rest and/or stand out in some other way (such as having a name that seemingly consists of random characters). If you find anything like that, you should tell us about it in the comments and delete it if we tell you it’s from the virus.
The folders you must find in the Registry Editor are:
- HKEY_CURRENT_USER > Software
- HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
- HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main
Finally, open each of the next folders by copy-pasting the next lines in the Start Menu and clicking on the first shown items.
In each of the folders, delete the most recent files (everything created since the virus entered your PC). Only in the Temp folder delete everything that’s in it.
How to Decrypt .Pass files
After you eliminate .Pass, it is time to decrypt your data. Note that removing the virus won’t automatically set your files free – additional action is required for that. It is not recommended paying the ransom demanded by the hackers as this may turn out to be nothing but a total waste of money. Instead, we suggest you visit our How to Decrypt Ransomware article and try out the alternative data-recovery suggestions shared there. Also, if you still have any doubts that anything in your system may be related to the virus, do not forget that you can, at any time, use the free malware scanner offered on our site to test suspicious data for malware code.