January 3, 2021

Been Dealing with a Trojan (Gozi) for almost two weeks and nothing is picking it up. Please help!


I’ve been dealing with, I believe, a variant of the Gozi Trojan on my mom’s computer. She’s had an account opened in her name and $10K stolen from one of her bank accounts on 12/23/20, so ever since then I’ve been trying to investigate, figure out what happened, and try to correct the situation. No antivirus software can locate it so I’m going to list everything that I’ve found out and that I’ve done below. I’m getting to the point where things are a bit over my level and I’m at my wits end, I would really appreciate some help and opinions. TIA

​

12/23 – account opened under her name through eToro and money withdrawn from account

12/26 – when we found out about it and flagged everything up with credit bureaus, the bank, and locked down that account

12/27 onward:

My mom finished flagging everything with FTC, etc and I had her change all of her passwords from a different device.

I noticed her email had been accessed as well – multiple rules were setup to delete any emails from her bank or from eToro. The password for her email was relatively new and, according to Google, has never been involved in a data breach where someone could have obtained it. Also, they somehow had access to her bank account, I’m guessing through signing in, but both the username and password are new, not previously compromised, not saved in her emails, and not changed by the attacker.

She has only used her home network, no public wifi, so because of this and things apparently not being involved in a data breach, I asked her about any suspicious files she may have received or opened. She said that a month or two ago she was sent a .zip file from her boss’s boss, which she (stupidly) opened (not positive that’s the issue though, but definitely possible). Now she also has an [error message](https://i.imgur.com/LenjUXq.jpg) that comes up in Outlook which specifically states that her IP was flagged as spam because of the amount of things sent out in a time period. I’m mad at myself for not taking screen shots but this specifically listed the Gozi Trojan being the cause for this. Now the link is showing the IP as cleared, probably because I’ve taken the computer off the internet and had her stop using it so as to not risk anything else.

Because that site specifically said it was the Gozi Trojan, I’ve been reading loads of sites about tracing that trojan and it’s variants. I’ve checked task manager to see if there’s anything odd that’s running that I can get rid of but there isn’t anything that I can see. I’ve also checked things like appdata, registry keys, etc. for specific things to look for listed on various sites and didn’t find anything. Every site says use Malwarebytes, so I started with that. Below is the list of what I’ve tried:

* Malwarebytes
* McAfee (paid)
* Kaspersky Free Virus Removal Tool
* Security Task Manager (Neuber)
* Norton Power Eraser
* Norton 360 (paid)
* Norton Forensic Toolkit (run by Norton Virus Removal team member)

I may have run more but it’s all blurring together so I might be forgetting one.

​

I spoke to Norton Virus Removal Team and they are telling me that “if our scan does not find it, it does not exist on your computer” but every where I read online it says that the Gozi Trojan disguises itself as system files and is often missed by scans. The supervisor in that department says “your computer is 100% safe, you have nothing on your computer” but I really don’t know if I should trust that.

My mom uses this computer for work and is really concerned about saving the files and information. She also does not have a backup (trust me, I know) and I doubt backing up now would be clean so I don’t have a feasible way of just wiping the machine and starting over. At this point, I don’t even know how to confirm how this all happened, if she does has a virus, which one, and what to do. I’m pretty lost at this point so any help at all is appreciated. Sorry for the long post. Thanks again

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.