Virus Description: Win32:Rootkit-gen [Rtk] C:\WINDOWS\TEMP\mc242.tmp

[airscapes]

There is a temp file generated at each boot that is flagged by Avast! at boot time as win32:rootkit-gen [Rtk]  I tell it to move to chest but next boot we have new file with new name mc###.  So I uploaded this to http://www.virustotal.com/ and it shows as
File mc21.tmp received on 07.25.2008 15:05:50 (CET)
Current status: finished
Result: 4/35 (11.43%)

Avast    4.8.1195.0    2008.07.25    Win32:Rootkit-gen
CAT-QuickHeal    9.50    2008.07.24    Tool.Madtol.c (Not a Virus)
GData    2.0.7306.1023    2008.07.25    Win32:Rootkit-gen
Sophos    4.31.0    2008.07.25    MadCodeHook

So what is this and how do I find out if it is real or not..
How do I find what is writing it?
Avast finds nothing if a scan is run after this is removed or in dos mode..
Thanks!
 

[Lisandro]

Maybe a new detection of avast, maybe a false positive.
But the rename of the file is suspicious... even being a temporary one...

Can you know if any legit program has that behavior? Which programs are automatically started in your computer?

[dangerdoom]

I got the same thing after the new program update (4.8.1227) ON 2 COMPUTERS!!
The file was actually "c:\documents and settings\user\local settings\temp\mc21.tmp" and also was a temp file generated at each boot.

I thought it was a false positive but i googled it and found out it was the "mchinjdrv" troyan. it's very easy to remove.
BTW, do you have supercopier2?? i'm sure it's because of it.

[airscapes]

No I don't have that program and after the last reboot the virus defs were updated and now none of those files in my chest are considered infected.. and nothing is found at boot time.  Those files are not being generated anymore either.. strange..

[Kinder]

There is a temp file generated at each boot that is flagged by Avast! at boot time as win32:rootkit-gen [Rtk]  I tell it to move to chest but next boot we have new file with new name mc###.  So I uploaded this to http://www.virustotal.com/ and it shows as
File mc21.tmp received on 07.25.2008 15:05:50 (CET)
Current status: finished
Result: 4/35 (11.43%)

Avast    4.8.1195.0    2008.07.25    Win32:Rootkit-gen
CAT-QuickHeal    9.50    2008.07.24    Tool.Madtol.c (Not a Virus)
GData    2.0.7306.1023    2008.07.25    Win32:Rootkit-gen
Sophos    4.31.0    2008.07.25    MadCodeHook

So what is this and how do I find out if it is real or not..
How do I find what is writing it?
Avast finds nothing if a scan is run after this is removed or in dos mode..
Thanks!
 

same here, with filenames mc21.tmp and mc22.tmp, I don't know what program generates theses files, but it locks up my computer and I have to do a hard reboot. Only 1 windows profile infected, the others profiles don't have the lockup problem.

virustotal and jotti don't report them as virus (as above)

[airscapes]

funny mine are gone and when I scan the files in the chest they are no longer infected.. Try updating avast and reboot.. see if it goes away..