If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Windows Defender - Warning Event ID 3004 -spoolsv.exe
Defender is posting - Event - 3004 error code approx. every minute. I have
tried adding spoolsv.exe to the: firewall ignore list -no change defender ignore list - no change. The file shows in defender as a permitted file? It is an original XP operating system file but still shows unclassified? Is there somewhere that I need to change the permissions for this file to kill this continious warning? EVENT ID: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=74409 Scan ID: {56E59D0B-5DBC-49D1-9919-F835BC59C4EB} User: A1640N\HP_Administrator Name: Unknown ID: Severity: Not Yet Classified Category: Not Yet Classified Path Found: firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe Alert Type: Unclassified software Detection Type: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. -- Any help here would be greatly appreciated... Des |
Ads |
#2
|
|||
|
|||
Windows Defender - Warning Event ID 3004 -spoolsv.exe
Des,
How did you determine that spoolsv.exe is still a legitimate file ? I fail to see any reason it should be trying to circumvent the native XP firewall as it http://www.liutilities.com/products/...brary/spoolsv/ transfers the data in a buffer. If the printer needs the data, it will retrieve it from the buffer. While the spoolsv.exe file is storing the data in the buffer, the user can carry out other operations. The spoolsv.exe process is also responsible for queuing printing tasks. Through this function, the user does not need to wait for each printing task to be completed one after the other. Also, read the " Other instances of SPOOLSV.EXE: " section. I'd have the file scanned here and hope the scanner can detect whether it's legit or not: http://www.virustotal.com/ MowGreen =============== *-343-* FDNY Never Forgotten =============== banthecheck.com "Security updates should *never* have *non-security content* prechecked" Des wrote: Defender is posting - Event - 3004 error code approx. every minute. I have tried adding spoolsv.exe to the: firewall ignore list -no change defender ignore list - no change. The file shows in defender as a permitted file? It is an original XP operating system file but still shows unclassified? Is there somewhere that I need to change the permissions for this file to kill this continious warning? EVENT ID: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=74409 Scan ID: {56E59D0B-5DBC-49D1-9919-F835BC59C4EB} User: A1640N\HP_Administrator Name: Unknown ID: Severity: Not Yet Classified Category: Not Yet Classified Path Found: firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe Alert Type: Unclassified software Detection Type: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. |
#3
|
|||
|
|||
Windows Defender - Warning Event ID 3004 -spoolsv.exe
I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date for XP mce. Defender is only issuing the warning in the event log, not identifying it as any type virus or malware. The file is not listed in either allow or quarantine and I am sure I have never been asked noe have I cleared the Defender history file. Everything works fine, Event log just records the defender warning every minute or so... I'm thinking it has to do with permissions, maybe? -- Des "MowGreen" wrote: Des, How did you determine that spoolsv.exe is still a legitimate file ? I fail to see any reason it should be trying to circumvent the native XP firewall as it http://www.liutilities.com/products/...brary/spoolsv/ transfers the data in a buffer. If the printer needs the data, it will retrieve it from the buffer. While the spoolsv.exe file is storing the data in the buffer, the user can carry out other operations. The spoolsv.exe process is also responsible for queuing printing tasks. Through this function, the user does not need to wait for each printing task to be completed one after the other. Also, read the " Other instances of SPOOLSV.EXE: " section. I'd have the file scanned here and hope the scanner can detect whether it's legit or not: http://www.virustotal.com/ MowGreen =============== *-343-* FDNY Never Forgotten =============== banthecheck.com "Security updates should *never* have *non-security content* prechecked" Des wrote: Defender is posting - Event - 3004 error code approx. every minute. I have tried adding spoolsv.exe to the: firewall ignore list -no change defender ignore list - no change. The file shows in defender as a permitted file? It is an original XP operating system file but still shows unclassified? Is there somewhere that I need to change the permissions for this file to kill this continious warning? EVENT ID: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=74409 Scan ID: {56E59D0B-5DBC-49D1-9919-F835BC59C4EB} User: A1640N\HP_Administrator Name: Unknown ID: Severity: Not Yet Classified Category: Not Yet Classified Path Found: firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe Alert Type: Unclassified software Detection Type: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. . |
#4
|
|||
|
|||
Windows Defender - Warning Event ID 3004 -spoolsv.exe
From: "Des"
| I verified the original file dates for spoolsv.exe in the system32 folder and | also the changed file date. They both match every other OS system file date | for XP mce. Defender is only issuing the warning in the event log, not | identifying it as any type virus or malware. The file is not listed in either | allow or quarantine and I am sure I have never been asked noe have I cleared | the Defender history file. | Everything works fine, Event log just records the defender warning every | minute or so... I'm thinking it has to do with permissions, maybe? | -- | Des The Spooler Service can become compromised and act "differently" by such malware as the TDSS (TDL3) RootKit. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#5
|
|||
|
|||
Windows Defender - Warning Event ID 3004 -spoolsv.exe
Here's MS' explanation of the Event ID:
Event ID 3004 — Real-Time Protection Detection http://technet.microsoft.com/en-us/l...09(WS.10).aspx Have you viewed the details provided in Software Explorer ? SE is available in XP in the Control Panel. Set it to Currently Running Programs. On my XP box, SE shows the file as Permitted but it's *not* listed as a Network Connected Program, which is why I am suspicious about the file on your system, Des. Suggest you use Software Explorer to see the Process ID of spoolsv.exe Then open a Command Prompt, type in the following and then press Enter netstat -a -o The Active Connections will be listed. Look in the far right column to locate the Process ID of spoolsv.exe and then see which Foreign Address it's connected to, if any. Then please post back with what the Foreign Address is. EX: My newsgroup reader's Process ID is 2560 and it's current Foreign Address is msnews.microsoft.com:nntp MowGreen =============== *-343-* FDNY Never Forgotten =============== banthecheck.com "Security updates should *never* have *non-security content* prechecked" Des wrote: I verified the original file dates for spoolsv.exe in the system32 folder and also the changed file date. They both match every other OS system file date for XP mce. Defender is only issuing the warning in the event log, not identifying it as any type virus or malware. The file is not listed in either allow or quarantine and I am sure I have never been asked noe have I cleared the Defender history file. Everything works fine, Event log just records the defender warning every minute or so... I'm thinking it has to do with permissions, maybe? |
#6
|
|||
|
|||
Windows Defender - Warning Event ID 3004 -spoolsv.exe
Mow,
Thanks in advance for your help... Here's where I am currently, Yes , I have been watching SE processes but I appriciate your suggestion. Ran netstat with switches at the command line and results show no foriegn connections, just local address (of this computer on router) popping in and out. Foriegn address shows as (*:*) spoolsv is listed under the network group i suspect due to my network printer, I have a wireless HP6000(e609n) printer connected via wireless through a Linksys router on a home network. I ran spyware/malware repair/checkers beyond Defender and all show clean system other than a few ad server cookies tied to yahoo home page. I recently upgraded to SP3 just to see if that would clear up the issue, no change. I have turned off spoolsv in services, removed both spoolsv.exe & spoolss.dll from system32 dir and let reinstall at boot from the I386 diectory, no change. Before reinstalling I verified dates and files in I386 cab folder. -- Des "MowGreen" wrote: Here's MS' explanation of the Event ID: Event ID 3004 — Real-Time Protection Detection http://technet.microsoft.com/en-us/l...09(WS.10).aspx Have you viewed the details provided in Software Explorer ? SE is available in XP in the Control Panel. Set it to Currently Running Programs. On my XP box, SE shows the file as Permitted but it's *not* listed as a Network Connected Program, which is why I am suspicious about the file on your system, Des. Suggest you use Software Explorer to see the Process ID of spoolsv.exe Then open a Command Prompt, type in the following and then press Enter netstat -a -o The Active Connections will be listed. Look in the far right column to locate the Process ID of spoolsv.exe and then see which Foreign Address it's connected to, if any. Then please post back with what the Foreign Address is. EX: My newsgroup reader's Process ID is 2560 and it's current Foreign Address is msnews.microsoft.com:nntp MowGreen =============== *-343-* FDNY Never Forgotten =============== banthecheck.com "Security updates should *never* have *non-security content* prechecked" Des wrote: I verified the original file dates for spoolsv.exe in the system32 folder and also the changed file date. They both match every other OS system file date for XP mce. Defender is only issuing the warning in the event log, not identifying it as any type virus or malware. The file is not listed in either allow or quarantine and I am sure I have never been asked noe have I cleared the Defender history file. Everything works fine, Event log just records the defender warning every minute or so... I'm thinking it has to do with permissions, maybe? . |
#7
|
|||
|
|||
Windows Defender - Warning Event ID 3004 -spoolsv.exe
More info:
After some research in the registry: This location of the registry is what is identified in the system event warning with the ID 3004. firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe The file is continiously added and mysteriously removed from this location in the registry? each time it shows as an eveint ID... Yet I have bever been asked by the Windows Firewall to allow or block or in defender? It shows as permitted to run in the SE. I also tried to manually add the file to the registry ok list just to see what effect and it just gets deleted from the list. What the heck try anything at this point? Event file just keeps growing with the same Event warning from Defender... Almost seems like Firewall and Defender can't decide what, if any action to take creating the loop... -- Des "MowGreen" wrote: Here's MS' explanation of the Event ID: Event ID 3004 — Real-Time Protection Detection http://technet.microsoft.com/en-us/l...09(WS.10).aspx Have you viewed the details provided in Software Explorer ? SE is available in XP in the Control Panel. Set it to Currently Running Programs. On my XP box, SE shows the file as Permitted but it's *not* listed as a Network Connected Program, which is why I am suspicious about the file on your system, Des. Suggest you use Software Explorer to see the Process ID of spoolsv.exe Then open a Command Prompt, type in the following and then press Enter netstat -a -o The Active Connections will be listed. Look in the far right column to locate the Process ID of spoolsv.exe and then see which Foreign Address it's connected to, if any. Then please post back with what the Foreign Address is. EX: My newsgroup reader's Process ID is 2560 and it's current Foreign Address is msnews.microsoft.com:nntp MowGreen =============== *-343-* FDNY Never Forgotten =============== banthecheck.com "Security updates should *never* have *non-security content* prechecked" Des wrote: I verified the original file dates for spoolsv.exe in the system32 folder and also the changed file date. They both match every other OS system file date for XP mce. Defender is only issuing the warning in the event log, not identifying it as any type virus or malware. The file is not listed in either allow or quarantine and I am sure I have never been asked noe have I cleared the Defender history file. Everything works fine, Event log just records the defender warning every minute or so... I'm thinking it has to do with permissions, maybe? . |
#8
|
|||
|
|||
Windows Defender - Warning Event ID 3004 -spoolsv.exe
Des,
Suggest you contact MS for *no-charge* support in getting to the bottom of this 'weird' issue: https://support.microsoft.com/oas/de...rid=11952&st=1 MowGreen =============== *-343-* FDNY Never Forgotten =============== banthecheck.com "Security updates should *never* have *non-security content* prechecked" Des wrote: More info: After some research in the registry: This location of the registry is what is identified in the system event warning with the ID 3004. firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe The file is continiously added and mysteriously removed from this location in the registry? each time it shows as an eveint ID... Yet I have bever been asked by the Windows Firewall to allow or block or in defender? It shows as permitted to run in the SE. I also tried to manually add the file to the registry ok list just to see what effect and it just gets deleted from the list. What the heck try anything at this point? Event file just keeps growing with the same Event warning from Defender... Almost seems like Firewall and Defender can't decide what, if any action to take creating the loop... |
Thread Tools | |
Display Modes | |
|
|