TreasureHunter Removal Guide

TreasureHunter hunts for payment card details that are stored in memory. Such details are, without a doubt, a real treasure for the attackers, who can sell it along with other personal data or use it to impersonate victims. The worst part about this POS (point-of-sale) malware is that it might have multiple variants. Originally, it is believed that this threat was created by Bears Inc. in 2014, but the source code of this malware was made public in 2018, which means that now virtualy anyone could build upon the foundation of this malware. This is a terrifying thought. That being said, there are plenty of security measures to protect point-of-sale systems, as well as to clean them if malware invades. If you continue reading this report, you will learn how to delete TreasureHunter. If you do not have time to learn, scroll down to the last paragraph of this article to learn about removal options and to find a complete guide.

According to our malware researchers, TreasureHunter is an unfinished project that is only capable of infecting systems running on Windows XP. While that might be true, with new actors coming in and getting a chance to play with the infection’s code, we cannot guarantee security for the owners of different Windows versions. Nonetheless, protected systems should stand strong against this POS malware, and so it does not actually matter which version you prefer to use for your operations. What matters is that your system does not have major security holes. For example, are passwords to your remote desktop protocol servers strong? If they are not, how can you expect your system to stand strong against malicious infections? TreasureHunter and many other kinds of malware prey upon vulnerable systems with weaknesses in RDP servers because it is easy to brute-force access to them and make a mess. In our situation, if the system is accessed without the notice of the owner and existing security software, a malicious Trojan can start stealing highly sensitive information.

To ensure that the attack of TreasureHunter is not terminated prematurely, a Run entry is added in the Windows Registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run named “jucheck”) to add the infection to Startup. The infection enumerates running processes (avoids processes with System33, SysWOW64, or \Windows\explorer.exe name). Finally, it scans the memory to find service codes, payment card numbers, and account numbers. All of this data is sent to a remote Command & Control server for processing. It is impossible to say how cyber criminals would use the gathered data, but, without a doubt, the victims could be exposed to virtual identity theft attacks. This is a serious issue, and if POS malware is discovered, it is important to notify victims or take other appropriate actions to secure private data. Unfortunately, TreasureHunter is not the only POS malware in existence. Also, it is unknown how many different variants of this malware exist, and so we cannot forget about the incident after removal.

It is important to remove TreasureHunter, but it also important not to forget about other malicious threats that could attack the system. The same security vulnerabilities could be exploited, but note that malware creators are smart, and they know how to exploit any minuscule error and vulnerability. If you are not prepared, your operating system could be hit again and again. The security of your system, of course, falls into your hands, and you have to decide how you want to go about things. We recommend installing legitimate anti-malware software. It will reliably secure your operating system and keep private data safe. Unless you delete TreasureHunter manually before installing this program, the anti-malware software will also eliminate this infection. If you are interested in manual removal, check out the guide below, but do not forget to perform a full system scan at the end because you want to be 100% sure that your operating system is malware-free before you go back to regular activities.

How to delete TreasureHunter

1. Launch Run by tapping keys Win+R on the keyboard.
2. Type regedit into the open box and click OK to open Registry Editor.
3. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
4. Delete the value named jucheck.
5. Launch Explorer by tapping keys Win+E on the keyboard.
6. Type %APPDATA% into the quick access field at the top.
7. Delete the [random name] folder with jucheck.exe inside of it.
8. Type %USERPROFILE% into the quick access field at the top.
9. Delete the file named ntuser.ini.
10. Empty Recycle Bin and do not forget to perform a full system scan.