Strange problem, maybe wrong place, but thought you guys might could help.
I have a very small business client, Windows 12 Server Essentials R2 and seven Win 7 Pro workstations. One of the owners believes that his live in girlfriend has somehow installed some kind of monitoring software on his Win 7 Pro workstation that sends her screen shots or some kind of report on his web activity. She is apparently very paranoid about him looking at any type of porn. He is also understandably concerned that she may be seeing his business banking / accounting information that should be confidential.
He also believes she has done the same to his home laptop.
Apparently last week, with all the hubub on the internet about Kim Kardashian posing nude in "Paper" Magazine, he followed some kind of a click-bait link to a nude Kim Kardashian video and when he got home she apparently described what he had been looking at on his screen and proceded to ream him out. He is convinced she actually saw a screen shot or something.
Another incident on his home laptop (I know it's consumer windows 7 or better, not 10, but haven't seen it so don't know exact version). Similar story ... he was sitting on couch this weekend and she was away on trip. I don't think she carries a laptop. He was researching a trip to Las Vegas and followed a link to pictures of some famous street there. Apparently one of the pictures was of "mostly" topless showgirls in their costumes out on the public street advertising a nightclub or something, and again she called him on the phone and reamed him out for looking at a picture of the showgirls, my understanding is that it was almost in real time.
Normally I just remove stuff with the basic tools if someone gets some malware or a virus, maybe google a bit if it's something difficult to get rid of ... or save data and reformat, which is sometimes more economical and complete. In this case, I'm more specifically interested in what it is and how it got there to prevent it (ie not just an infected website or mistaken click on a fake dialog).
At this point he has decided to unplug his workstation from the network and has run malwarebytes scan over top of AVG Cloud Antivirus, which did find quite a few trojan things that were removed, and after a reboot subsequent scans were clean. Maybe that got it, but I'm not sure. He plans to keep it unplugged for a few days to see if she mentions that she can't see it anymore, Then maybe turn it back on and specifically go visit a few porn sites to see if she "catches" him again which would be proof that the problem is still there.
I plan to go on site in a few days, I can at least get a copy of the Malwarebytes and AVG log files to see what was detected and removed. It's a small family company so the security is pretty lax once you are inside the building, so although he doesn't think she had physical access to the machine I think it's possible that she could have and then installed something. Also, just to spice it up, apparently some time ago she had told him he had better be careful because she had an old boyfriend who was a cyber geek at the CIA or NSA who could remotely hack any PC she asked him to .... now I think that's pretty unlikely, big career risk, but if he exists he might have recomended some internet monitoring tools she could have installed. It almost sounds like some parrental monitoring software that sends screen shots when the kids are doing something they shouldn't, but I'm not very familar with those products. Also I think most of those products are fairly hidden, no tray icon or obvious add / remove program entry, and probably don't show up in standard malware scans because they are typically valid products, and if the were easy to find and remove then they wouldn't be effective against your average 12 yr old.
So any technical suggestions, or recomendations?