I’ve been dealing with, I believe, a variant of the Gozi Trojan on my mom’s computer. She’s had an account opened in her name and $10K stolen from one of her bank accounts on 12/23/20, so ever since then I’ve been trying to investigate, figure out what happened, and try to correct the situation. No antivirus software can locate it so I’m going to list everything that I’ve found out and that I’ve done below. I’m getting to the point where things are a bit over my level and I’m at my wits end, I would really appreciate some help and opinions. TIA
​
12/23 – account opened under her name through eToro and money withdrawn from account
12/26 – when we found out about it and flagged everything up with credit bureaus, the bank, and locked down that account
12/27 onward:
My mom finished flagging everything with FTC, etc and I had her change all of her passwords from a different device.
I noticed her email had been accessed as well – multiple rules were setup to delete any emails from her bank or from eToro. The password for her email was relatively new and, according to Google, has never been involved in a data breach where someone could have obtained it. Also, they somehow had access to her bank account, I’m guessing through signing in, but both the username and password are new, not previously compromised, not saved in her emails, and not changed by the attacker.
She has only used her home network, no public wifi, so because of this and things apparently not being involved in a data breach, I asked her about any suspicious files she may have received or opened. She said that a month or two ago she was sent a .zip file from her boss’s boss, which she (stupidly) opened (not positive that’s the issue though, but definitely possible). Now she also has an [error message](https://i.imgur.com/LenjUXq.jpg) that comes up in Outlook which specifically states that her IP was flagged as spam because of the amount of things sent out in a time period. I’m mad at myself for not taking screen shots but this specifically listed the Gozi Trojan being the cause for this. Now the link is showing the IP as cleared, probably because I’ve taken the computer off the internet and had her stop using it so as to not risk anything else.
Because that site specifically said it was the Gozi Trojan, I’ve been reading loads of sites about tracing that trojan and it’s variants. I’ve checked task manager to see if there’s anything odd that’s running that I can get rid of but there isn’t anything that I can see. I’ve also checked things like appdata, registry keys, etc. for specific things to look for listed on various sites and didn’t find anything. Every site says use Malwarebytes, so I started with that. Below is the list of what I’ve tried:
* Malwarebytes
* McAfee (paid)
* Kaspersky Free Virus Removal Tool
* Security Task Manager (Neuber)
* Norton Power Eraser
* Norton 360 (paid)
* Norton Forensic Toolkit (run by Norton Virus Removal team member)
I may have run more but it’s all blurring together so I might be forgetting one.
​
I spoke to Norton Virus Removal Team and they are telling me that “if our scan does not find it, it does not exist on your computer” but every where I read online it says that the Gozi Trojan disguises itself as system files and is often missed by scans. The supervisor in that department says “your computer is 100% safe, you have nothing on your computer” but I really don’t know if I should trust that.
My mom uses this computer for work and is really concerned about saving the files and information. She also does not have a backup (trust me, I know) and I doubt backing up now would be clean so I don’t have a feasible way of just wiping the machine and starting over. At this point, I don’t even know how to confirm how this all happened, if she does has a virus, which one, and what to do. I’m pretty lost at this point so any help at all is appreciated. Sorry for the long post. Thanks again