Here's MS' explanation of the Event ID:

Event ID 3004 — Real-Time Protection Detection
http://technet.microsoft.com/en-us/l...09(WS.10).aspx

Have you viewed the details provided in Software Explorer ?
SE is available in XP in the Control Panel.
Set it to Currently Running Programs.
On my XP box, SE shows the file as Permitted but it's *not* listed as a
Network Connected Program, which is why I am suspicious about the file
on your system, Des.
Suggest you use Software Explorer to see the Process ID of spoolsv.exe
Then open a Command Prompt, type in the following and then press Enter

netstat -a -o

The Active Connections will be listed. Look in the far right column to
locate the Process ID of spoolsv.exe and then see which Foreign Address
it's connected to, if any.
Then please post back with what the Foreign Address is.

EX: My newsgroup reader's Process ID is 2560 and it's current Foreign
Address is msnews.microsoft.com:nntp


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?