Towards the end, he was very problematic and I ended up firing him. However, he had used my computer at times to test the internet links to the security cameras.
After he left, I found messages from Winpatrol that certain startup commands had been disabled, including WinPatrol. When I checked, I found a a folder under Users/{My User Account}
named XLDEF.
When I reviewed the folder, I found three VBS scripts, setup.vbs, start.vbs, and another. In addition, there were three DAT files. One had a very complex VB script. The other two files were compiled DAT files. In addition, there were over 580 files with random numbers and random extensions. When I checked some of these files, they contained only 1 entry, usually a character string starting with the leter K and a number after the K.
I have removed the entry in the registry, moved the files and directory off the hard drive, and made a copy. I am suspicious that this is a keylogger but nothing is detecting it. MSE did say it was suspicious and I sent it to them, but who knows how long it will take to find.
For obvious reasons, I have not uploaded it yet and will provide it to the right people for review.
Thanks!!!