Tonight I found a 180searchassistant with bitdefender, an online scanner. It was installed with rosoft sound recorder. I searched the modified/create date and deleted suspect files. In the process I noticed a .sbe file, it's an exclude list for spybot s&d. I checked the exclude list in spybot and there were items as exclude, 5 items to be exact. The rosoft prog probably added the excludes on install. I don't know what registry keys were affected though. The offender was 180searchassistant 5.11 the file it operated from was rmturad.exe.tfc, a double extention. After deselecting the exclude items I ran spybot and it found the bugger. Sonsab_t_hes.
What is desktop.ini and why do I have 111 instances of it?
Why did I have a russian windows media player 6.4 as an installed component in my registry?
I had searched using *.exe and looked for files that looked like they did not belong, googled them to find out what they were tied to and if it came back unknown I took note for possible deletion. In the process the anomalys downloads/uploads have stopped, well at least the upload portion. I deleted the registry entry in installed components for the wmp 6.4 and the wmiwmpsv.exe and other exe's, inadvertently deleting the component for the cd rom. I was able to reinstall it by uninstalling the driver, reinstall driver and deleting the upper filters and lower filters in the registry and rebooting.
Apparently to stop a problem after a program install and when you notice something awry, is by using a baseline or footprint of your registry and windows/system32 areas. From what I read, propper footprinting includes a footprint from your virgin computer, a footprint before program install, and a footprint after a program install. This allows you to see where the changes are taking place so you can undo if you determine you have a problem, because add/remove progs does not get rid of everything.