PRISM virus - How to remove?
PRISM virus is ransomware program that tries to earn money from random computer users. It’s a program that completely blocks the system saying that it has been done due to suspicions of illegal content downloading and distribution. The program uses the name of USA authorities in order to look more legitimate and gain computer users’ trust.
PRISM virus is installed to random systems with a help of Trojan viruses. This way users are not able to detect it until the program already blocks the system. Once inside, it displays a message in the middle of the screen that lists all law violations that you are accused on and demands paying a fine of 300 USD. Here;s how the message looks like:
NSA Internet Surveillance Program
Computer Crime Prosecution Section
Your Computer has been locked!
Your computer has been locked due to suspicions of illegal content downloading and distribution.
Your case can be classified as occasional/unmotivated, according to 17 (U.S Code)
Thus it may be closed without prosecution.
Your computer will be unblocked automatically.
In order to resolve the situation in an above-mentioned way you should pay a fine of $300 (MoneyPak)
As you see it looks pretty scary and many users actually fall for this scam. You should never trust this application and if your computer has been locked, you should remove PRISM virus instead of following what it says. One of the best proves that it is not related to any authorities is that it asks to make a payment using MoneyPak payment system. This system requires pre-paid cards in order to make a transfer. No legal institution would ever use such means to collect fines.
If your system has been locked, remove PRISM virus as soon as you detect it on your computer. It is a tricky virus so removal of it can be a little bit complicated. If your computer has more than one user account and not all of them are locked, scan whole PC with anti-malware programs, e.g. spyhunter, by logging to the account that is not blocked. Another option is to use system restore. If none of these methods worked for you, do the following:
- Restart your computer;
- Press F8 while it is still restarting;
- Choose between safe modes in following order: Safe mode, Safe mode with command prompt
Then follow the guides below:
If your computer runs in Safe mode or Safe mode with networking
- Launch MSConfig.
- Disable startup items rundll32 turning on any application from Application Data;. Note, that these are typical locations for PRISM virus but some others might be used.
- Restart the system once again.
- Scan with http://www.2-viruses.com/downloads/spyhunter-i.exe to identify PRISM virus files and delete it.
Here is a video showing how to complete the steps:
If your computer runs in Safe mode with command prompt
- Run Regedit.
- Search for WinLogon Entries. Write down all files it references that are not explorer.exe or blank. Replace them with explorer.exe
- Search registry for PRISM virus files and delete the registry keys referencing the files
- Try to reboot and scan with Reimage, SpyHunter.
- If this fails, try doing system restore from safe mode with command prompt (rstrui.exe)
If none of safe modes could be launched
Some versions of PRISM virus disable all safe modes, but give a short gap that you can use to run anti-malware programs:
- Reboot normally.
- Enter: http://2-viruses.com/downloads/spyhunter-i.exe . If malware is loaded, just press alt+tab once and keep entering the string blindly. Press Enter.
- Press Alt+tab and then R couple times. PRISM virus process should be killed.
Here is a video detailing this approach:
Hitman Pro USB disk
If you did not succeed using any of the methods above, try scanning PC with a bootable USB or DVD disk. These should be able to remove all versions of PRISM virus, but will not work if your hard drive is encrypted.
For that, we recommend using Hitman Pro Kickstarter USB.
- Download Hitman Pro on uninfected PC.
- Run Hitman and ask to create Kickstarter USB (option on initial screen)
- When USB ready, reboot infected PC with USB attached and press DEL
- Choose USB as primary boot device.
- Boot normally.
- Run Hitman Pro and http://www.2-viruses.com/downloads/spyhunter-i.exe . One of these programs should detect and remove malware from your PC.