Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

'Notice From Microsoft Corporation' Ransomware

'Notice From Microsoft Corporation' Ransomware is a new and unique ransomware-type program that combines screen-locking and file encryption to force an unfortunate victim to pay a ransom to unlock the screen and decrypt the files. The good news is that you can remove this ransomware and decrypt your files for free because there is already a free decryption tool available. Nevertheless, we think it is important to know what you are dealing with, so we invite you to read this whole article as it contains the most relevant information available at this time.

Let us begin our analysis with this application’s origins. We have found that this program is distributed with the help of malicious emails that feature a malicious file attachment. The developers have opted for using a file with a double extension to trick you into thinking that the executable is a PDF file. The name of the file that might come zipped is CashBillPending(Autosaved)1.pdf.exe. It looks like some sort of bill, but if you open it, then this ransomware will infect your PC. We have found that this ransomware can be dropped in %WinDir%\Cursors. If it is dropped in this location, then the executable should be named CashBillPending(Autosaved)1.pdf.exe or Microsoftsecteam.exe. In some cases, it might be dropped in %Temp% and named Microsoftsecteam.exe, Cash Bill Pending 1.exe, Vshost{1-3}.exe. In case the executable is named Vshost{1-3}.exe the part after Vshost can vary between 1 and 3 characters. The examples we found include names such as VshostD.exe, Vshostde.exe, Vshostdo.exe, VshostE.exe, and Vshostpic.exe. Nevertheless, there can be more variations in future iterations.

If 'Notice From Microsoft Corporation' Ransomware infects your PC, then it will lock its screen and show a blue Microsoft inspired window claiming that you have violated copyright laws by using or distributing particular content. The message states that your IP was linked to using a pirated copy of Windows, sending spam using Botnets, distributing copyrighted contents via torrents and visiting harmful websites. The text inside lists several articles of the criminal code of the United States and informs you that those illicit actions can put you behind bars for up to 12 years.

Apart from locking your computer’s screen, 'Notice From Microsoft Corporation' Ransomware was designed to kill Explorer.exe and then encrypt your personal files. While encrypting them, it appends them with a .Harzhuangzi file extension. Luckily, there should be a decryption tool already available, so you should be able to restore your files after deleting this ransomware. The criminals want you to pay 0.5 BTC (an approximate 600 USD) in the Bitcoin cryptocurrency. You need to contact the criminals via email at mssecteam@sigaint.org to receive further instructions on how to get the decryption password. However, we have found that the password processing function is buggy, so even if you purchase the password, it will not unlock the screen. The criminals try to scare you stating that you have to pay within a week or your files will become undecryptable.

That is all of the information currently available about 'Notice From Microsoft Corporation' Ransomware. It is evident that this particular program is highly malicious and can lock your computer’s screen and encrypt your files. We do not recommend that you pay because the screen will remain locked after you enter the password. We recommend that you remove this malware using an antimalware program such as SpyHunter. However, if you want to get rid of it manually, then you will have boot your PC in Safe Mode. Follow the instructions below on how to delete this ransomware manually.

Boot your PC in Safe Mode with Networking

Windows 10/8.1/8

  1. Press the Windows Key.
  2. Type Change advanced startup options in the search window and press Enter.
  3. Under the Recovery tab, select the Restart now option under Advanced startup.
  4. Select Troubleshoot.
  5. Select Advanced options and go to Startup Settings.
  6. Click the Restart button.
  7. Select Enable Safe Mode with Networking by pressing 5.

Windows 7 and Vista

  1. Open the Start menu and click Restart.
  2. Press and hold the F8 key as your computer restarts.
  3. On the Advanced Boot Options screen, select Safe Mode with Networking.
  4. Press Enter.

Windows XP

  1. Click the Start button and then click Restart.
  2. Press and hold the F8 key as your computer restarts.
  3. On the Advanced Boot Options screen, select Safe Mode with Networking.
  4. Press Enter.

Removal Guide

  1. Press Windows+E keys.
  2. In the File Explorer’s address box, type the following addresses, hit Enter and check them for malware.
    • %WinDir%\Cursors
    • %Temp%
  3. Look for VshostD.exe, Vshostde.exe, Vshostdo.exe, VshostE.exe, Vshostpic.exe, Microsoftsecteam.exe, and Cash Bill Pending 1.exe
  4. Right-click the malicious executable and click Delete.
  5. Empty the Recycle Bin.

Delete registry keys

  1. Press Windows+R keys.
  2. Type regedit in the box and press OK.
  3. Go to HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\shunimpl.dll
  4. Find value name "command" with value data “C:\Windows\Cursors\Microsoftsecteam.exe
  5. Right-click it and click Delete.
  6. Then go to HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
  7. Find value name “shunimpl.dll” with value data “C:\Windows\Cursors\Microsoftsecteam.exe
  8. Right-click it and click Delete.
Download Spyware Removal Tool to Remove* 'Notice From Microsoft Corporation' Ransomware
  • Quick & tested solution for 'Notice From Microsoft Corporation' Ransomware removal.
  • 100% Free Scan for Windows
disclaimer
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.