Looking for some outside perspective While digging into my Windows I found some things that do not look normal. An unsigned EXE dropped into System32 under Winlogon. A custom network driver unsigned .sys with a silent INF installer. it hooks into NDIS and behaves like it is tunneling. IPV6 ULA routing is showing like its acting as hidden internal tunnel. Full disclosure. I have an ex husband who is very tech savvy , still claiming he is not, but I have an active restraining order on him at the moment.

I guess in big picture my question would be

What kind of set ups would leave traces of these? unsigned auto start EXE, custom tunneling drivers, and surveillance? Also, he favored updates ( what looked legit ) for a long time , bluetooth, and wallet/Radio stuff. Homemade VPN? rootkit? Is there something I'm missing that would be legit? He handmade a lot of EXE that I ended up finding.

Thanks for reading, and I miss reddit. I just didn't feel comfortable online for a long time. so its a brand new baby account. But I appreciate any input.