Depends on the algorithm. Many encryption schemes are vulnerable if you know the cyphertext and can guess the plain text.
This is one of those cases where if they knew what they where doing the PRNG would be fine as is. So, you can't just and wave some undefined encryption scheme and assume they will implement it correctly.
Any cryptographic hash function works as a key derivation function (KDF) or cryptographically secure pseudo-random number generator (CSPRNG). Even ones with broken collision resistance are probably still suitable-- you could just take the bottom bits of MD5(secret_key + counter) and that would be enough.
Very much no. If I know the hash function will always map input X > Y for all machines and I can guess say 100,000 possible states for the PRNG based on for example the time stamp then:
Hash those 100,000 states, compare the output of those hases to the observed output to find the actual PRNG state. Then always know the hashed output of the PRNG.
Edit: You said secret_key aka hidden salt, but if I can get that key by say access to the machine then it's not necessarily hidden.
I am pointing this out because the assumption is a poor PRNG used by incompetent team in the first place. Saying just do X, when it's possible to do X and still have a problem is not an actual solution. It's equivalent of saying just be competent.
This is one of those cases where if they knew what they where doing the PRNG would be fine as is. So, you can't just and wave some undefined encryption scheme and assume they will implement it correctly.