I'm reasonably technically competent, but I don't know how to interpret this PC issue. As its a real-world incident, there's some back-story.
I'm in the UK. The suspect PC runs Win8.1 up to date, used for simple desktop stuff by a family member. There are about 4 other PCs, all pretty much identically built, on the same LAN, behind an OPNSense (pfSense fork) router.
- About 5th March 2020, the family member asked me to look at their PC. A bunch of 4 or 5 remote usage softwares had been installed within a 10 minute period from original downloads (github or author's DL pages) - AnyVPN, TeamViewer etc - clearly from some phishing link. First time in many years, the family member is pretty good. There wasn't any sign of actual damage - none of the SW was connected, but it could have been a false trail with a different malware less visible. I took the disk from that system offline, connected it to a "known good" PC and scanned with Kaspersky. Nothing. Apparently clean. But even so, I deleted and installed a complete clean new system and software on that PC, to ensure it was clean.
- On 30 April, the relative reported being locked out of their email for the last 2 days. Email for them is Outlook 2010 + Gmail + IMAP, with a long hard password. (They also use an android app for email when away from home, but with Corona lockdown haven't been out.) Google Web UI reported account lockout due to a suspect login attempt from some IP address in Holland. But it didnt provide a list of actual logins to check for actual breach (too many days/logins ago). I wondered if this might be his mobile email, using Vodafone European IP in Holland or something, but the IP wasnt a telco. Google reported a POW change but the relative had also tried different PWs to try and log in before telling me. I changed the password myself to be sure, more because Google insisted than because I thought the hard password was guessed. So admittedly I changed it lazily (suffixed old PW with "1" to keep it easy for them). No further issues....
- Today he reported he has been locked out of his email again. Same kind of thing. French IP this time (185.93.2.181), attempted on 12 May (says Google) to login using his new PW and was blocked as a precaution. This time there is history - but the only successful logins are our home IP address. IP doesnt seem to mean anything, doesnt seem to be a Tor exit.
So I'm unclear how to interpret. This is as far as I can work it out:
The PC's disk was wiped. Other systems on the LAN arent showing mysetrious Google security events. The original phish installed official (digital sig/official DL site) software. So it doesn't seem likely that overt or covert malicious stuff persisted from the 5 March event.
On 2 subsequent occasions, Google reports security issues with an attempted login from Dutch (28 April) and French (12 May) IPs. The addresses don't mean anything to me. They aren't mobile or Tor either, apparently. There doesn't seem to be actual breaches. I can't tell if a password was taken or not, because I don't know whether it was used or my relative did it, but I changed the password anyway.
The current (3rd) event is worrying. After the 2nd event when I changed the PW, I would expect that put an end to any issues with unaccounted logins, but it didn't. No other machine here has had such logins. But the changed PW after the 2nd attempt was one I myself set via the browser on a clean OS. If that's not it, then what is Google alerting on? Was there even a breach at all after the March incident, and is Google being over-cautious? Could it be something silly like his mobile phone provider's EU IP? I don't see clearly.
So Im not sure at all, what to make of it, which limits what responses to choose......
ideas?
Update:
As suggested by @schroeder, I checked GMail itself. The relative's email should be mutually shared by/delegable to/usable by one other user, his wife.
On his account, no other delegated users are shown (I'm not 100% sure if there could be other ways to login via Google, I might need guidance what to check), and the recovery details are unchanged and the recovery email is almost certainly unbreached (almost never logged in, credentials known to me only and not online).
I then checked his wife's account, in case she's the backdoor. No unexpected delegation on hers, no evidence of logins from unexpected places, no evidence of Google Security alert hiostory or emails (although they could have been wiped), no sign of a breach in Google Account security or recent logins. Also usually she's more careful than he is, and the March phishing attack was his machine not hers.
Does this exclude a GMail related intrusion or are there other things I should check? I'm not that familiar with GMail security but it seems straightforward...?