Malware/Spoofware Trying to Install Hardware Device (Interferes with Antivirus)

I am an Avira Antivir and Lavasoft Ad-Aware user to defend against viruses, malware, and spyware. I use Windows XP Media Center Edition 32-bit with Service Pack 3 and the latest updates. Yesterday evening I noticed something strange going on with Ad-Aware. While installing an update, a window popped up saying AdWatch ActivityMonitor has not passed Windows logo testing. The fact that the title bar says "Hardware Installation" is also suspicious.



I have read the README Malware Removal Guide and scanned with SUPERAntiSpyware, MalwareBytes, RootRepeal, and MGtools. I'm not ok with running ComboFix as I've read that it should only be used as a last resort and a bug in the past has corrupted hundreds of Windows installations. Both MalwareBytes and SUPERAntiSpyware found nothing but tracking cookies, so there's no need to post the logs for those. I have the other logs attached.

I did a fair amount of research and read some forum threads on the issue and found out that whatever is trying to install this "device" is not associated with Ad-Aware and Lavasoft specifically said that this was only happening with a handful of users. I also learned that this is happening with Kapersky Internet Security 2010.

I then restored my system to about a week prior to this going on and once I restarted the problem seemed to be gone. However, soon after I started noticing a popup bubble in the lower right corner every few minutes saying "Found New Hardware: Generic volume shadow copy" for a split-second, then the dialog window for installating new hardware. Of course, I cancelled. This was and is still happening at random, and seems to sometimes be triggered by starting a full Antivir scan. I checked the device manager but didn't find anything unusual. Either this program is trying to install a virtual device or trying to fool the user into doing something dangerous. After clicking cancel in the dialog box a popup bubble then tells me the hardware installation failed and the device may not work properly. After closing that, the hardware icon disappears from the taskbar.

I checked the running processes with Process Explorer and found 3 processes running after the event: Microsoft Volume Shadow Copy Service (vssvc.exe), MS Software Shadow Copy Provider via COM Surrogate (dllhost.exe), and MS DTC Console Program (msdtc.exe). Could this program be trying to take snapshots of my HDD?

I also found some interesting things in the Event Viewer. Under System, I'm seeing repeat errors saying "VolSnap" and "DCOM". They say DCOM cannot be started and several different stop errors when VolSnap attempted to shadow copy volume C. After seeing this I'm certain this program is trying to steal information. Fortunately, VolSnap doesn't appear to have successfully started and there's no unusual HDD activity either. I've included a link to the EVT log. I tried loading it in Event Viewer but even if I choose System as the type, it still fails to open it and tells me to select a type. If you also have problems with the log let me know.

I also mentioned in the title that this program is interfering with AntiVir. In the several times I've started a full scan, whether the New Hardware dialog box appears or not, most of the time Antivir has gotten stuck either on the first step or quite a way into the scan. Pausing and resuming the scan has made it resume, but I've been unable to complete a full scan because of this problem. I've also done scans with Ad-Aware and HiJackThis. Both found nothing strange. Since I started noticing this problem I've had to re-install Antivir twice because both the system restore and booting into Safe Mode broke it. Before creating this thread I also updated Ad-Aware, which triggered the ActivityMonitor warning again.

I don't know if I would call this program "malware" since it doesn't seem to be doing damage to Windows, but it's definately trying to steal information. Does anyone have any ideas on how to remove it? Has anyone seen an infection like this before? Any and all help is appreciated, I know this is a bit of a detailed problem.

UPDATE: I looked at the System even log again this morning and noticed quite a few services being started that I overlooked before. Services such as Network Location Awareness, Computer Browsing, Remote Access Connection Manager, and several others are being started upon each bootup. Check the EVT log for details.

 

Thanks for the response, I was skeptical that these services were being used by malware. So you think no infection exists at all? It seems rather unusual that the ActivityMonitor prompt, Antivir problems, and the shadow copy "device" prompt would all be happening at the same time. If there's really no malware on my system, what could be causing the ActivityMonitor and Generic volume shadow copy installations to pop up? I've never seen either happen before.

 

I don't have a software firewall, but of course, my router has one. I've actually found Ad-Aware to be helpful, I had a Vundo infection once and its early boot cleaner completely killed the multiple dangerous DLLs scattered across my hard drive.

Anyway, thanks for the suggestions, I'll see what the software lurkers have to say.