I've learned a bit about this and thought I would pass it on. o.bat comes in on an attachment probably as a macro in a .txt or is installed via weblink in an email when the link is opened. I can't really tell which since my aunt opens attachments and visits weblinks through emails. o.bat and o file are then placed on c: {in this case on the desktop} and, again in this case, a hidden file {TMJA6A34} is placed in the Windows TEMP folder. When o.bat is executed by opening IE it then redirects to a web page where the program is either downloaded and installed without user interface or knowledge or commands the hidden file to execute and also executes a "newfile.exe" command that alters an existing exe. Once it does execute the file is deleted by o.bat so it can't be detected by antivirus programs and programs such as AdAware. It then continues to hijacks the browser as well as passing itself on to others. Since I was the one that executed the program by opening IE and suspected something was wrong I used GoBack to revert the HD to a time before the execution. This enabled me to delete o.bat, o file and all files and folders in the Windows TEMP folder. Also since GoBack restoration points for the time that the file was first created {April 15, 2004} had expired it was unable to replace itself from the restoration entries. After numerous reboots my aunt's system remains clean. So, if you haven't executed the program the removal is simple. If you have a system restore program that holds the entries for the time it showed up be sure to disable it before deleting the files. Unfortunately I have been unable to determine exactly which trojan this is but still tend to lean toward QHosts. I've copied o.bat and o file on to a floppy and given it to a friend that is a programmer. He has promised to look at it ASAP and let me know if he finds any clues that will help identify it. If he does I'll pass that on also. I hope this helps someone!