The same thing happened on my server as well.
When I searched with clamav, I have found the following trojans.
/wp-content/plugins/wp-special-textboxes/lib/404.php: PHP.Trojan.WebShell-7 FOUND
/wp-content/plugins/wp-special-textboxes/lib.zip: PHP.Trojan.WebShell-7 FOUND
not sure if it came with the plugin or not. Now I can’t find this plugin in the plugin search. It sent thousands of emails 🙁
