Recently a customer had opened a phishing e-mail making rounds starting around the first of September.  This was an e-mail that is reported as an IRS version of Zeus Bot (some additional info: http://garwarner.blogspot.com/2009/09/irs-version-of-zeus-bot-continues.html).

After the virus definitions caught up with this, it was quarantined off and seemed to only affect the user profile on the terminal server where it was opened.  However, users started reporting also that Internet Explorer was crashing randomly. [more]

Looking through the event logs, I could see that IE was crashing from a faulting module named RASADHLP.dll.   This file is a remote access dialup helper and shouldn’t even be in use.  After comparing the files in Windows\system32 directory with another terminal server at the location, the files appeared identical.  However, the problematic server had another copy of RASADHLP.dll under C:\Program Files\Internet Explorer.

Further investigation of this file showed the creation date as the same day that the user received and opened the phishing e-mail.  Also it showed the user as the Owner of that file.  It is likely that IE was trying to use this file in it’s program directory first before the one in system32.

After renaming the file, IE was working without any problems.  The file was removed from the system.  Users running as non-admins likely helped to isolate the malware, but it still had written a bogus file to IE’s program directory.