Thread: Windows Defender - Warning Event ID 3004 -spoolsv.exe
View Single Post
  #6  
Old January 2nd 10, 03:00 PM posted to microsoft.public.windowsxp.security_admin
DES
external usenet poster
  
Posts: 9
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe
Mow,
Thanks in advance for your help... Here's where I am currently,

Yes , I have been watching SE processes but I appriciate your suggestion.
Ran netstat with switches at the command line and results show no foriegn
connections, just local address (of this computer on router) popping in and
out. Foriegn address shows as (*:*) spoolsv is listed under the network group
i suspect due to my network printer, I have a wireless HP6000(e609n) printer
connected via wireless through a Linksys router on a home network.

I ran spyware/malware repair/checkers beyond Defender and all show clean
system other than a few ad server cookies tied to yahoo home page. I recently
upgraded to SP3 just to see if that would clear up the issue, no change. I
have turned off spoolsv in services, removed both spoolsv.exe & spoolss.dll
from system32 dir and let reinstall at boot from the I386 diectory, no
change. Before reinstalling I verified dates and files in I386 cab folder.
--
Des


"MowGreen" wrote:

Here's MS' explanation of the Event ID:

Event ID 3004 — Real-Time Protection Detection
http://technet.microsoft.com/en-us/l...09(WS.10).aspx

Have you viewed the details provided in Software Explorer ?
SE is available in XP in the Control Panel.
Set it to Currently Running Programs.
On my XP box, SE shows the file as Permitted but it's *not* listed as a
Network Connected Program, which is why I am suspicious about the file
on your system, Des.
Suggest you use Software Explorer to see the Process ID of spoolsv.exe
Then open a Command Prompt, type in the following and then press Enter

netstat -a -o

The Active Connections will be listed. Look in the far right column to
locate the Process ID of spoolsv.exe and then see which Foreign Address
it's connected to, if any.
Then please post back with what the Foreign Address is.

EX: My newsgroup reader's Process ID is 2560 and it's current Foreign
Address is msnews.microsoft.com:nntp


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?
.
Ads