Hey, long story short:
A few days ago i received a mail from my dads email account containing a link ending in php.
This was sent to a multitude of his contacts.
This process has been repeating a few days now and we have been unable to stop it.
We have tried scanning the computer in safemode with: bitdefender, Superantispyware, spybot S&D, malwarebytes.
But scans came out clean apart from a few tracking cookies that have now been removed.
Obviously we have changed the password of the mailbox, but no luck so far.
-The mail was mostly sent to his contacts, but interestingly enough about 50% of the people that received the mail were also recepients of a mail sent by my grandfather some time ago. (Still unsure if this is related but it sure is weird) This mail was sent out cause he changed email adress, but weirdly enough was sent out twice in the time of an hour, one time containing a .eml file. It might have been harmless, but I felt its worth mentioning.
-My mother's email is also mentioned as a contact but the mail won't show up in her inbox. Nor will a copy of this mail end up in my fathers inbox when I send it to him -> mother's pc also infected, auto remove?
-As I'm writing this my dad noticed some changes were made to a couple of files the past week, with some named after amd directories. Which seems strange as my dads laptop doesn't contain any amd hardware. He's going to do a system restore to a few weeks ago. But if my mothers pc is infected I doubt anything would be solved.
I'm willing to give header information and such to check if my dad's being spoofed (which would surprise me heavily considering the evidence), but I prefer to do this through another medium such as skype rather than post something like that on a forum.
Thanks in advance.
Update: Definitely something fishy in the amd64 files: found some manifest files spread out through the pc, going to google some more.
Edited by BrickInTheWall, 21 August 2015 - 02:04 PM.