Actually I reinstalled a old backup and found a new behaviour I didn´t have seen before, many different directories a created through own files, program dir, windows and system32 dir. In Explorer it looks like usual directories but rootkit detector 2 reveals folders with ? and a hidden thing called: HIDDEN: C:\WINDOWS\system32\OPVOC hxxp://i3.tinypic.com/11hcqip.png hxxp://i3.tinypic.com/11h8etf.png Neither I have something like oracle nor symantec on my system. Crazy isn´t it? Maybe it is useful to mention, that a temp file is always created, in nearly all cases it has the same md5 hash, only the name changes regularly. It is always recreated or persistent even if you try to delete everything in temp folder, the file looks like this: ~DF7EAE.tmp and has 16 KB of size. Probably nothing special but better to mention.