CD starts playing by itself - malware?

About every 18-20 hours, my cd in my dvd-rom drive (e:) just starts playing in Windows Media Player (it's an audio CD) without any warning (from NIS, that is).  This has been going on for about a week and a half.  I'm suspicious b/c, well, (a) audio CDs should not start playing by themselves, and (b) about that same week and a half ago I was sent to some suspicious website domains by an Amazon Mechanical Turk survey.

 

I have NIS 18.6.0.29 (I think it tried upgrading once recently, but whatever it was failed and I had to use NPE - that's another story).  Following recovering from that, I have nonetheless done a full system scan with the latest definitions as of yesterday, and NIS reported no problems except for the usual tracking cookies.  I also remote scanned the DLLs that NPE with the restart & rootkit scan said had looked suspicious, but they passed the remote scan.

 

I installed SysInternals Process Monitor and set a filter capturing disk activity to Path E:\ in order to figure out what was causing this to happen. I just caught it again.

 

3 processes, the first two in rapid succession:

 

"C:\Windows\system32\svchost.exe -k netsvcs" followed immediately by "C:\Windows\Explorer.exe"

This svchost stack trace appears to be called from ADVAPI32.dll SetServiceStatus+0x184 and svchost then calls to shsvcs.dll (6.0.6002.18063) Ordinal1+0x4b46.  

The Explorer stacktrace has SHLWAPI.dll (6.0.6002.18393) Ordinal197+0xe1 calling SHELL32.dll (6.0.6002.18393) SHGetFileInfoW+0x2d80e as its first event.

 

then 4 seconds later (this might be legit related to Windows Media Player auto-playing the detected audio CD, I'm unsure)

"C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted"

In this stack trace, I have RPCRT4.dll (the remote procedure call runtime) (6.0.6002.18024) RpcServerUnregisterIf+0x1004 calling emdmgmt.dll (6.0.6002.18005) OpenEmdPerf+0x352 (ReadyBoost? I think this is related to having a flash drive or something similar to speed up the OS; I don't have anything like this configured).

 

I have this sequence of 25 events recorded in a Process Monitor native .PML log (attached, but extension should be renamed .PML) and .XML (huge), is there somewhere I should submit it?  Does this behavior (of something reaching out to my dvd-rom drive w/o my consciously doing anything) have a normal explanation?

 

Has anyone else reported these call stacks (I've highlighted the user mode calls that appear the most characteristic entry points, the stack traces are of course much longer than this) and/or behavior?

 

Thank you.