As OGELTHORPE correctly states, nobody knows what gets installed or backdoored. That's the nature of these messes.
The following in addition to the (correct) suggestions to reinstall the box from a pre-breach backup, or reinstall from known-good distros, and to change all passwords for financial information, credit cards, all of the mail server logins, everything...
It would not surprise me that some of these folks may or will eventually start targeting backups (some have), and some will encrypt and hold hostage the data (ransomware is already becoming common).
If this case is likely to arise again, then...
...Get your Dad over onto Parental Controls and lock down the Mac, or (minimally) remove any administrative access that your Dad has. Or migrate your Dad over to an iPad with a keyboard cover or other such — this depends on what your Dad is doing with the Mac, obviously.
...Implement a decent-grade external firewall for the network, and block any and all inbound remote access for anything involving the screen sharing ports. I'd also DNS- and/or firewall-block all access to the common screen-sharing-capable web services, including the WebEx, TeamViewer, and LogMeIn servers — I need to get a better list of these services that folks are using, but here's a start. Block inbound and outbound. If the firewall has a triggering capability or some sort of scripting, I'd look to lock down all access to the entire Internet for probably eight hours, if any of these sites are hit even once. (This stuff is far from a panacea, but it'll make things a little harder for the next bunch of scammers.)
