Written by Tomas Meskauskas
Damage level: Severe
PRISM Virus "Your computer has been locked due to suspicions of illegal content downloading and distribution" - how to remove?
NSA Internet Surveillance Program PRISM, Computer Crime Prosecution Section message "Your computer has been locked due to suspicions of illegal content downloading and distribution" which blocks computer's screen and demands to pay a fine of $300 using MoneyPak in order to unlock one's computer is a scam. This message is not related to any real authorities from USA - it's a ransomware virus created by Cyber criminals. The main purpose of this computer's screen locking message is to scare unsuspecting PC users into paying a fake fine using false accusations of law infringements (downloading or distributing copyrighted content, watching child pornography etc.).
This ransomware virus infects user's computers using exploit kits which are being spread using infected email messages, drive-by downloads and malicious websites. Exploit kits rely on out-dated software to infiltrate computers, so keeping one's installed programs up-to-date can drastically decrease the risk of getting infected with ransomware. After successful infiltration PRISM virus completely locks user's screen and disables all Windows features which would allow to close the fake message. This particular rasomware virus originates from a family called Reveton and is targeted at PC users from USA, previously released variant of this virus exploited the name of The ICE Cyber Crime Center to scare PC users into paying the non-existent fine. NSA Internet Surveillance Program PRISM "Your computer has been locked!" message is a total scam, don't trust it - paying the fine when asked by this message would equal to sending one's money to Cyber criminals.
Cyber criminals who are responsible for creating ransomware viruses from Reveton family are using IP address information to target PC users from different countries with localized variants of their deceptive, screen locking messages. To make their rogue messages appear more realistic Cyber criminals are exploiting the names of various authorities and organizations, in this case it's NSA. Other known ransomware viruses are using the names of FBI, ACMA, ICE, etc. to achieve their rogue goal of tricking PC users into paying a fake fine in order to unlock their computers. PC users should know that in reality none of authorities or organizations around the world are using such computer's screen locking message to collect fines for any law violations. If your computer's screen is already blocked with a message supposedly send by NSA Internet Surveillance Program PRISM you should use the provided removal guide and eliminate this scam.
Fake message presented in PRISM Virus:
NSA Internet Surveillance Program
Computer Crime Prosecution Section
Your Computer has been locked!
Your computer has been locked due to suspicions of illegal content downloading and distribution.
Your case can be classified as occasional/unmotivated, according to 17 (U.S Code)
Thus it may be closed without prosecution.
Your computer will be unblocked automatically.
In order to resolve the situation in an above-mentioned way you should pay a fine of $300 (MoneyPak)
PRISM virus removal:
Windows XP and Windows 7 users: During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with networking from the list and press ENTER.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened "General PC Settings" window select Advanced startup. Click on "Restart now" button. Your computer will now restart into "Advanced Startup options menu". Click on the "Troubleshoot" button, then click on "Advanced options" button. In the advanced option screen click on "Startup settings". Click on the "Restart" button. Your PC will restart into Startup Settings screen. Press "5" to boot in Safe Mode with Command Prompt.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Log in to the account that is infected with PRISM Virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all the entries that it detects.
If you can't start your computer in safe mode with networking, try doing a system restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. Start your computer in Safe Mode with Command Prompt - During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with command prompt from the list and press ENTER.
2. When command prompt mode loads enter the following line: cd restore and press ENTER.
3. Next type this line: rstrui.exe and press ENTER.
4. In the opened window click "Next".
5. Select one of the available restore point and click "Next" (this will restore your computer's system to an earlier time and date, before the this ransomware virus infiltrated your PC).
6. In the opened window click "Yes".
7. After restoring your computer to a previous date download and scan your PC with a recommended malware removal software to eliminate any left remnants of PRISM ransomware virus.
If you can't start your computer in safe mode with networking (or with command prompt) you should boot your computer using a rescue disk. Some variants of ransomware disables safe mode making it's removal more complicated. For this step you will need access to another computer. After removing this ransomware virus from your PC restart your computer and scan it with a legitimate antispyware software to remove any possibly left remnants of this security infection.
Other tools known to remove PRISM ransomware virus: