The Prism NSA Internet Surveillance Program Ransomware belongs to the Troj/Reveton group of screen locker viruses. And just like other screen locker infections, it lists a set of fake charges against users of computers that it has compromised. It also goes on to state that the user can resolve the current situation with the pending fake charges by simply paying a fine of $300.00 through Greendot Moneypak.
The Prism NSA Internet Surveillance Program Ransomware's interface is very convincing with it's government logos and cropped photos of police, but it's still just another screen locker virus scam. It's simply playing off of the media hype from the information that was released by Edward Snowden about the National Security Agency's classified surveillance programs.
To remove the Prism NSA Internet Surveillance Program Ransomware from your computer, you'll need to download a group of software utilities on a clean computer and then transfer those utilities to the infected computer via a burned cd/dvd or a flash drive. You will also need to perform the removal of this ransomware from "Safe Mode with Command Prompt". Any attempts to remove the virus from standard “Safe Mode” or “Safe Mode with Networking” will most likely be unsuccessful.
To remove this screen locker virus, you’ll need to download the software listed below on a clean computer and then transfer the files to the compromised computer via a burned cd/dvd. You’ll also need an external usb flash drive that doesn’t contain any information that you need to save. And just in case, you should also have your Windows installation disks close by to assist in replacing any damaged system files that the virus may have damaged. We usually haven’t needed the installation discs after removing this specific bootkit virus, but you should have access to them just in case.
The files you will need to download include:
- Hitman Pro with Kickstart
- Bitdefender Bootkit Removal Tool
- Emsisoft Emergency Kit
This is a very long and detailed virus removal guide that involves several detailed steps to remove this particular virus. If you don’t feel comfortable performing any of the steps listed in this guide, or you feel as if you’re in a little over your head, your best alternative may be to seek the assistance of a professional virus removal specialist.
How to remove the Prism NSA Internet Surveillance Program Ransomware step by step
- To start download all of the software listed above on a clean computer and burn it to a cd/dvd, except for “Hitman Pro”, because you will need to install it on a usb flash drive.
- Once you have burned all of the software to disc, execute the copy of “Hitman Pro” that you downloaded on the clean computer, but don’t plug the usb flash drive into the computer that you’re installing it on just yet. If you have already plugged it in, unplug it from the computer for now.
- After “Hitman Pro” starts up, click on the little icon at the bottom of it’s windows that looks like a little stickman figure getting kicked.
- Next plug the usb flash drive back into the clean computer. And keep in mind that the flash drive will be formatted by “Hitman Pro”, so you will lose any dated that is currently loaded on it.
- The usb flash drive should now be displayed down at the bottom of the Hitman Pro application window. If it’s not displayed at this point, unplug the external usb drive for about 15 seconds and then plug it right back in.
- Next click on “Install Kickstart”.
- Click on “Yes” to agree with the drive format warning.
- After the usb drive has been formatted and Kickstart has been installed on it, disconnect it from the clean computer and proceed to the infected computer. Now plug the usb flash drive with “Hitman Pro with Kickstart” into the infected computer.
- Turn the computer on and select the installed usb flash drive as the boot device. You will probably have to press a hotkey to access the computer’s boot menu first though. The proper hotkey may vary from manufacturer to manufacturer , but it will probably be either the “Function F12” or the “Esc” key. If both of those access key fail to bring up the boot menu, check our “Boot Menu Access Keys” page.
- Once you have accessed the boot menu and selected the external usb flash drive, the “Kickstart” boot options screen should appear. At this screen select the first option in the list.
- Next, at the login screen, log into the affected user account or another administrator account and wait for the “Hitman Pro” interface window to appear. Once the interface appears, click on “Next”.
- At the Hitman Pro setup screen select the second option to perform a one-time scan of your computer and then click on “Next”.
- Once you make your way to the scan screen, perform the default scan of your computer and remove the malicious files that the scanner locates on your computer.
- Next, before “Hitman Pro” will remove the detected files, it will need to be activated over the Internet from the “Product Activation” screen. Select the “Activate Free License” option to activate the software.
- Once the application has been activated, it will remove the files that it detected on your computer.
- After the removal is completed, restart your computer into “Safe Mode with Command Prompt”.
- Log back into the compromised user account or an administrator account.
- Once the command prompt appears, navigate to the cd/dvd drive that you have the software burned to that you originally created on a clean computer. Depending on your computer configuration you will need to type either “D:” or possibly “E:” at the command prompt to access the cd/dvd drive.
- Next execute the copy of "rKill" by typing "rkill.exe" at the prompt. Once it starts, it will terminate any malicious processes that it detects are loaded in your computer's memory.
- After “rKill” completes, execute the copy of the “Bitdefender Bootkit Remover” by typing it executable at the command prompt. Perform a scan of your computer by clicking on “Start Scan”. If the removal tool detects a bootkit infection, remove it and reboot back into “Safe Mode with Networking” if needed.
- Next, start the copy of "Combofix" by typing "Combofix.exe" at the command prompt. If it prompts you that it has detected an active anti-virus on your system, you'll need to disable the currently installed anti-virus. You can do that by typing "explorer" at the prompt and then disabling your anti-virus once the desktop is displayed. Only start the “Explorer” if it’s absolutely necessary.
- If you needed to disable your real-time anti-virus protection, open the task manager by clicking on "Clt, Alt & Delete" together. After the task manager is displayed, select the processes tab and click on "Explorer" and then "End Process" down at the bottom.
- Next, return to the command prompt and continue with the"Combofix scan. You may have restart it if you closed it before. Combofix will perform a 50 to 60 stage scan and removal of any malicious files that it detects, but it shouldn’t take more than 15 or 20 minutes to complete.
- Once Combofix has completed it’s scan and removal process, start the "Windows Explorer" by typing "explorer' at the command prompt.
- Next, decompress the Emsisoft Emergency Kit" by clicking on it's executable. Make sure that you decompress it to an easily accessible directory on your computer.
- After Emsisoft has been decompressed, start it by double clicking on "start.exe" in it's directory.
- Next click on the “Emergency Kit Scanner”.
- Next perform a deep scan of your system and remove any remaining malicious files that the Emsisoft Emergency Kit detects.
- After the emergency kit completes, restart your computer normally.
At this point your computer should be free of the Prism NSA Internet Surveillance Program Ransomware. If there are still indications of the infection, you'll need to contact a professional computer virus removal specialist to handle your situation.
Smith Technical Resources makes no guarantees or claims that the information contained in this article will help you completely remove the above listed malicious program(s) from your computer. There are several variations of each particular virus in the wild . And the procedure listed above may not be adequate for the specific version of the virus that your computer has been compromised by.
If you feel uncomfortable performing any of the procedures that we've listed on this page, please contact a professional computer repair company in your area and have them complete the needed repairs on your computer. Smith Technical Resources takes no responsibility for any possible damage that could result from your use of the above instructions.