Tech Support Guy banner

what is rkzqstj exe & rkzqstj dll for?

1376 Views 17 Replies 4 Participants Last post by  Rollin' Rog
Yesterday, evening , I caught some malware downloading & trying to make
an icon on my desktop, while my young son was on the PC.
(I have an old windows 98 system.)
It downloading without any prompting from my kid, as I've instructed him, not to download anything to this PC., I was in the kitchen standing by, so I know he was just surfing the web. I am horrified to find out, things can just install on your PC, that way.
I've since changed the web browser's security settings.(to prevent it in the future)

I ran adware, and spybot, and now the only question, I have is, I've notice this rkzqstj temp file, that refuses to be deleted, from my system (in the temp folder) and rkzqstj exe & rkzqstj .dll
in my system's directory, listed around the proximity of when, I abruptly pulled my son, offline and ran the spybot, windows cleaner and everything else I could think of!
This file, rkzqstj is harmful? and why won't the temp file rkzqstj delete?
When I try to delete it ? the dll version, does not list what it's being used for. Thanks in Advance Pflute
Not open for further replies.
1 - 18 of 18 Posts
start >> find >> files and folders >> type in rkzqstj >> find now

In the results box, try right-clicking and deleting from there
Best to post a HijackThis Scanlog and let us have a look at what is running. Better instructions for removing malware can be given using that:

Sometimes weak security settings will permit unauthorized downloads. All Security options in Internet Options > Security should be set to default at a minimum -- which means prompts should be required for scripting and downloads that are not completely disabled in the Custom level options section.
Thank You, both!
I will run a hijack this log, as, I peeped the temp file in
and it's recording every search, I make on the web
and making strange characters on the page and growning larger in size every day, it's creepy.
Also this same strange dll has installed itself into my msconfig start-up, and even when I un check it, it rechecks itself at startup.
I have since changed my browsers security settings, I don't know allot about computers, but this is wrong, What if I had not been monitoring my kids PC use, when he alerted me, Mommy something's popping up? (like the malware downloading without him prompting it to do so?)

Again thanks allot.
I am new at this so if I've done this wrong please let me know.
now, I know, why I can't delete this temp, it has installed itself, not my startup without any permission. (2 days ago)

O4 - HKLM\..\Run: [rkzqstj] "C:\WINDOWS\SYSTEM\RKZQSTJ.exe"

Could this be left over from a game my child had been playing earlier on the internet? Why is it recording our every internet search covertly in a c:\windows \temp "protected" file that won't be deleted? & How do I get rid of for good?

Thank you, Pflute
Logfile of HijackThis v1.96.4
Scan saved at 11:29:16 AM, on 9/5/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [rkzqstj] "C:\WINDOWS\SYSTEM\RKZQSTJ.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
See less See more
Put a check in the item:

O4 - HKLM\..\Run: [rkzqstj] "C:\WINDOWS\SYSTEM\RKZQSTJ.exe"

Then click "fix checked"

Reboot and see if you can delete the file RKZQSTJ.exe and the dll as well. Also try deleting file in the temp folder. If you get access denied after rebooting, i will give you instructions for doing the deletions in DOS. (Is rkzqstj.dll in the same windows\system folder as the exe?)

Whatever the intent of this file it did not come with a legitimate program; if it is just monitoring sites you search, no big worry; but if it is monitoring actual key strokes you will want to change any security related passwords that have been used for e-mail or financial sites since it has been installed.

By the way, if you have previously unchecked this item in msconfig you will also need to go to the Start Menu > Programs > "disabled startups" folder and delete any entries in there you see for it.
when I click for information on the file
(rkzqstj) , I get someting about -
I have never intentionally downloaded any start-up software from to be installed into my msconfig.
Does it automatically attach itself to
children's games while they are playing on the Internet?
any information would be appreciated, Pflute. is a private domain name registry. To access domains registered with you must have's software installed.

The software to use has not been installed on your system. And while we regularly give instructions for removing I have not previously seen the site try to engage in this type of behavior, so that is very puzzling and troubling.

Some installations do occur through bundling with otherwise legitimate software. But it should not installed through children's sites. If it has, the site owner should be contacted for further information
Question asked:
Is rkzqstj.dll in the same windows\system folder as the exe?)

Yes!, Now that I have checked I see, they are both listed in the
c:\windows\system folder along with another file wxjlfzi.dll was installed the same time.6:02, 6:03pm

I have no recollection of installing any software that day, and the time 6:02pm is consistent with the time we were all in the kitchen together,
My Son was playing games on the PC a few inches away and I was washing dishes.
I will contact the Gaming site's webmaster, and I have forbid my child to go this site, I've deleted the bookmark, too.

Also, I went into dos, and did a del c:\windows\temp\*.*
the suspicious temp file, reduced to 0 in size, but it was back
to gathering information the moment I logged back on-line.

This is just too creepy!

I will check the box in the msconfig. folder, when I run the hijack program again .There are two of the same entries for this Rkzqst. thing, in msconfig one is checked the other is unchecked. It's keep coming back!(after I uncheck & reboot)
I am posting the 4 mysterious dlls, again rkzqstj.dll rkzqst exe -wxjlfzi.dll and rkzqstj.dll temp files, to help, in case some other Mother, encounters this strange incidence of files auto downloading without permission phenomena when her, children are playing games on the net. This may be something new, to target children, as there is no other written information on these dlls on the internet, in the searches that I've done.
This is just too, too creepy!

Again? Thanks so much! Pflute ( now a Paranoid Mother)
See less See more
If all else fails here is what you do:

Click Start > Shutdown > Restart in MS-DOS mode

You should end up at a c:\windows> prompt. Enter each bold line:

deltree temp
cd system

You should now be at the prompt: c:\windows\system> At this prompt enter each bold line:

del RKZQSTJ.exe
del rkzqstj.dll
del wxjlfzi.dll

You will receive prompts to confirm; enter 'y' if the target file correct.

When you reboot to Windows You can use HijackThis to delete the registry entry you see there, if still present.

For the one that is UNchecked in msconfig, go to start> run and enter regedit

Navigate to:


the UNchecked entry should be in the right hand pane of the Run-, folder (checked entries are in RUN)

Right click on the entry you want to delete and select "delete".
See less See more
I followed your instructions, but I had to repeat it twice, as one of the files, renamed itself, (same size, same date entry)
I still can't believe this ever happened?

Now I have one more question, I checked, the cookies on this PC,
each one of them list my husband's surname.

example of cookies- jsmith
How do I remove my husbands' surname form the cookies in
our cache? I don't see any cookie yet with my children's name on them, but it has me worried.
Is there a PC program or a fix to do this? (take our name off the cookies)
I am poking around on this thing, checking all cookies and temp files
now & trying to delete them like a madwoman.

Is it wise for our Internet cookies to list our surname like that?
Or am I just being super paranoid now?

(My kids have not been allowed on the PC since this thing happened.
I am going to install a firewall, before, I let them resume time on the computer.
I need a crash course on home computing safety. This recent incident has totally thrown me for a loop! I am going to warn my friends and Post a notice at my local community library, about this incident, to alert other Parents, who have Children who love playing games on the PC.

Again, Much Thanks & Gratitude, Pflute (Paranoid Mom)
See less See more
The name that is prefixed to cookies, is the username used to logon to the PC.
It "may" have been set up such that you never see the log on screen and the logon is automatic.

If so, do a Find Files for *.PWL and delete all files found.
Then reboot.
It will ask for a userid/password.

Enter a Userid (for example NONE or anything else)
Do NOT enter a password, just click OK
I don't want a Stranger approaching my children on-line, to seem familiar to them, because they might have peeped our cookies, and know their last name.

We recently, bought a new computer, and put this older model PC in the kitchen for the kids to use, about a week ago, without checking for all this security settings & stuff first on this older PC before designating it for kid's use (freely).
What a huge mistake!

Is their any other security detail that perhaps, I should check for before
clearing this PC exclusively for the kids use, and allowing them back
on-line again? I know, that I'm bumming my kids out, and being old fashioned but this is serious stuff!
We've encountered this problem in just one week time of using this old thing in the kitchen? (PC viruses, worms, hijackings?)

[Previously we just used this PC to pay bills on-line, & send family photos & e-mails.] Again, Much Thanks to Everyone.

Pflute (PM)
See less See more
Thanks for the good answer on that Phil, I don't think it would have occurred to me that that is how that happened.

A few things I would do on that system Security wise, and others may have some ideas for you too, is to install a program like Spywareblaster:

This won't protect against the type of download you received, but it will against many others. While I haven't used this one personally, many here have.

Also Spybot is a necessary tool in every defensive arsenal these days, we make it a regular part of our cleanup routine here:

I also see you have no antivirus program on the system. While AVG isn't the best on the web it *might* have caught this one, but the randomized nature of the installation files, makes me doubt it. Still you need something.

In Internet Explorer, you do want to ensure that you have all the Security options set to at least medium, and that the download and scripting of unsigned and unsafe Activex controls is disabled in the Custom Level section of Internet Options > Security.

Finally, if the computer hardware will support it (128 min of ram) and the kids are up to learning the use of a new browser, I would highly recommend switching over to Opera7, it is a lot less vulnerable to security hijacks and other problems than Internet Explorer:
See less See more
I downloaded a shareware temp file/cookie cleaner off Internet,
to try it out, to see if it worked better than the previous one I had (that ran poorly) I installed, ran it, and it worked I guess? but?
Now my Temp folder is completely gone, (no longer at c:\windows\temp location and the files are accumulating on my desktop like icons?
I over did it right (with the cleaning)? I just wanted the files, gone, not the whole physical folder deleted!

What went wrong & how can I fix this? Thanks Pflute (PM)
PS the cookie folder is still intact.
Both the c:\windows\temp folder and the Internet Explorer Temporary Internet Folder (these are different) should automatically recreate themselves after deletion, when a program needs them.

First, to determine if the location for the Temp folder has changed, open a DOS prompt (just click Start > Run and enter command) and at the c:> prompt enter:


What does it say for Temp and TMP ?

Next, open Internet Options and look at the Settings tab for Temporary Internet Files.

What does it say for the locatin of the Temporary Internet Folder? That can be changed through that setting.

The location for the Temp folder, is I believe specified through the registry location (run regedit)

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\exlorer\VolumeCaches\Temporary files
See less See more
Thanks so much!
I will check this out, thoroughly.
My Husband is fed up with my Internet Security & Child Internet Surfing Safety Paranoia. He has given me strict orders to log off, and to stop trying to be an amateur soccer-mom version of CSI, (investigator) looking for potential problems relating to our kids, inheriting this old computer, from us.
He's even offered to watch the kids, so? I 'm off to mall (lol) but I will check this out, later. (when I return) from Picking up a copy of cybersitter or net nanny software while I'm out..........

Again, Thank You all Very, Much for being so Helpful!
You're certainly welcome. No matter what you install, you shouldn't have temporary files going to the desktop; that's a system problem of some kind. It's possible if you installed that last program from a setup file on the desktop it may have altered some pointer in the registry to direct temp files to the location where it is running from.

environmental commands to set the temp folder location can also be placed in autoexec.bat, but it shouldn'b be necessary.
1 - 18 of 18 Posts
Not open for further replies.