Having just had SpyBot report that I was infected by Win32.OnLineGames and taken the necessary action to deal with it, I then searched Google for more information and came up with this hit into these forums
http://forums.spybot.info/showthread.php?t=16598&highlight=epsn.dll.
This thread suggests that this is a false positive. I'm not so sure. I did indeed have the file that SpyBot was complaining about (C:\Windows\system32\EPSN.dll). My other PC (same OS - XP SP2) doesn't have the file. As described in the thread, SpyBot wasn't able to clean it up because it was locked by various processes that had loaded it into their address space. I cleaned it up by firing up my Windows installation CD and going into recovery mode. I simply deleted the file and restarted Windows. Everything seems to be running quite happily without this DLL, so I'm hoping it was indeed a real infection, but if anyone knows anything else (and I'm damned if I can find any more out there on the Internet), I'd be very grateful to hear their views.

hello,

this appears to be a false positive with your Epson scanner/printer software.
If you have such a device please check if it runs properly and reinstall its drivers/software if needed.

This false positive should have been resolved with the detection update 2007-08-08. Please make sure to update the detection rules regularly, they are scheduled to be released on a weekly basis.

I follow the reasoning behind your suggestion, but I've never installed an Epson driver (as I've never had an Epson device of any sort), and since my other XP SP2 machine doesn't have this DLL I can only conclude that it isn't a DLL that gets installed as part of the standard Windows installation either, which all suggests that this may in fact have been malware.
Out of interest, why do you seem to be discounting the possibility of this being a genuine positive?

hi,
thanks for your feedback.

Out of interest, why do you seem to be discounting the possibility of this being a genuine positive?
The malware we tracked in this contex did not disguise itself as a printer/scanner driver and the legit software in question (Epson drivers) do match with a couple of false positives we had that were related to the detection of Win32.OnLineGames. Additionally Win32.OnLineGames installs several files and makes a couple of changes to the registry. So it is very likely a false positive.

To make sure you can submit the EPSN.dll file to detections-at-spybot.info (replace -at- with @)
the file is stored in a password protected zip file in the recovery folder located in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Win32.OnLineGames.zip
Just submit the zip file, you do not need to unzip it.

It is odd however that you have a file that appears to belong to Epson while not having such a device installed. On the other hand computer vendors tend to install a lot of software that is not necessary.

Yodama, many thanks for the comprehensive response. I have indeed submitted the ZIP file as per your suggestion, but I have little doubt as to your analysis. As for why the file exists in the first place, this PC did come preinstalled by Fujitsu-Siemens when I bought it, so clearly they had the opportunity to load as many drivers as they saw fit. I'm still a little surprised that any of my processes should load a print driver DLL that I don't need (the "printers" section doesn't have an EPSON printer installed), but I guess that's a question for Microsoft.

Unless the email submission turns up anything unexpected, as far as I'm concerned this query is now resolved. Thanks again.

Hi all,
The SpyBot S&D seems to be picking up or on...printer driver files of the type *.dll. In my case it was hp printer files. This is true for win32.onlinegames and virtumonde. Both are PWS-Trojan. These are FP. I checked them and your printer will not work without them. If it is malicious programming then it is the OEM. I notified you all in detections and software, and also HP. :bigthumb: