Hello,
Check the workstation where IDR is being backed up from. Look in the c:\windows\system32\ or c:\windows\ directory for: CLSPACK.EXE - Class Package Export Tool
If its not there, check the workstation for the W32/Shoho@MM worm. It's a mass-mailing worm that's making use of the ms01-020 Iframe exploit, file attachment might be executed on preview/opening the e-mail.
The attachment is named "README.TXT________.pif" . When not looking close, one might think the filename is readme.txt and thus failing to see the real extension, .pif.
This worm will specifically delete or modify CLSPACK.EXE.
NOTE : If we do not receive your reply within two business days, this post would be marked assumed answered and would be moved to answered questions pool.