Is the user changing the password back? I know it’s a silly question, but the simplest answer is usually the most obvious. If this is user the only one getting spammed like that, then it’s probably not your IDs/passwords that are compromised, which is a good thing.
The next obvious answer is that his laptop may not actually be clean Which is hard to check remotely. I’d ask him what kind of virus checking he’s using.
Also, does he have any hosting with contact forms that use that email? It’s possibly that form is being used to spam.