what is rkzqstj exe & rkzqstj dll for?

I am new at this so if I've done this wrong please let me know.
now, I know, why I can't delete this temp, it has installed itself, not my startup without any permission. (2 days ago)

O4 - HKLM\..\Run: [rkzqstj] "C:\WINDOWS\SYSTEM\RKZQSTJ.exe"

Could this be left over from a game my child had been playing earlier on the internet? Why is it recording our every internet search covertly in a c:\windows \temp "protected" file that won't be deleted? & How do I get rid of for good?

Thank you, Pflute
*******************************************
Logfile of HijackThis v1.96.4
Scan saved at 11:29:16 AM, on 9/5/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\AMERICA ONLINE 6.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [rkzqstj] "C:\WINDOWS\SYSTEM\RKZQSTJ.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Question asked:
Is rkzqstj.dll in the same windows\system folder as the exe?)

Yes!, Now that I have checked I see, they are both listed in the
c:\windows\system folder along with another file wxjlfzi.dll was installed the same time.6:02, 6:03pm

I have no recollection of installing any software that day, and the time 6:02pm is consistent with the time we were all in the kitchen together,
My Son was playing games on the PC a few inches away and I was washing dishes.
I will contact the Gaming site's webmaster, and I have forbid my child to go this site, I've deleted the bookmark, too.

Also, I went into dos, and did a del c:\windows\temp\*.*
the suspicious temp file, reduced to 0 in size, but it was back
to gathering information the moment I logged back on-line.

This is just too creepy!

I will check the box in the msconfig. folder, when I run the hijack program again .There are two of the same entries for this Rkzqst. thing, in msconfig one is checked the other is unchecked. It's keep coming back!(after I uncheck & reboot)
I am posting the 4 mysterious dlls, again rkzqstj.dll rkzqst exe -wxjlfzi.dll and rkzqstj.dll temp files, to help, in case some other Mother, encounters this strange incidence of files auto downloading without permission phenomena when her, children are playing games on the net. This may be something new, to target children, as there is no other written information on these dlls on the internet, in the searches that I've done.
This is just too, too creepy!

Again? Thanks so much! Pflute ( now a Paranoid Mother)

If all else fails here is what you do:

Click Start > Shutdown > Restart in MS-DOS mode

You should end up at a c:\windows> prompt. Enter each bold line:

smartdrv
deltree temp
cd system

You should now be at the prompt: c:\windows\system> At this prompt enter each bold line:


del RKZQSTJ.exe
del rkzqstj.dll
del wxjlfzi.dll
exit

You will receive prompts to confirm; enter 'y' if the target file correct.

When you reboot to Windows You can use HijackThis to delete the registry entry you see there, if still present.

For the one that is UNchecked in msconfig, go to start> run and enter regedit

Navigate to:

Hkey_local_Machine
Software
Microsoft
Windows
CurrentVersion
RUN -

the UNchecked entry should be in the right hand pane of the Run-, folder (checked entries are in RUN)

Right click on the entry you want to delete and select "delete".

I followed your instructions, but I had to repeat it twice, as one of the files, renamed itself, (same size, same date entry)
I still can't believe this ever happened?

Now I have one more question, I checked, the cookies on this PC,
each one of them list my husband's surname.

example of cookies- jsmith @google.com
How do I remove my husbands' surname form the cookies in
our cache? I don't see any cookie yet with my children's name on them, but it has me worried.
Is there a PC program or a fix to do this? (take our name off the cookies)
I am poking around on this thing, checking all cookies and temp files
now & trying to delete them like a madwoman.

Is it wise for our Internet cookies to list our surname like that?
Or am I just being super paranoid now?

(My kids have not been allowed on the PC since this thing happened.
I am going to install a firewall, before, I let them resume time on the computer.
I need a crash course on home computing safety. This recent incident has totally thrown me for a loop! I am going to warn my friends and Post a notice at my local community library, about this incident, to alert other Parents, who have Children who love playing games on the PC.

Again, Much Thanks & Gratitude, Pflute (Paranoid Mom)

THANKS!
I don't want a Stranger approaching my children on-line, to seem familiar to them, because they might have peeped our cookies, and know their last name.

We recently, bought a new computer, and put this older model PC in the kitchen for the kids to use, about a week ago, without checking for all this security settings & stuff first on this older PC before designating it for kid's use (freely).
What a huge mistake!

Is their any other security detail that perhaps, I should check for before
clearing this PC exclusively for the kids use, and allowing them back
on-line again? I know, that I'm bumming my kids out, and being old fashioned but this is serious stuff!
We've encountered this problem in just one week time of using this old thing in the kitchen? (PC viruses, worms, hijackings?)

[Previously we just used this PC to pay bills on-line, & send family photos & e-mails.] Again, Much Thanks to Everyone.

Pflute (PM)

Thanks for the good answer on that Phil, I don't think it would have occurred to me that that is how that happened.

A few things I would do on that system Security wise, and others may have some ideas for you too, is to install a program like Spywareblaster:

http://www.javacoolsoftware.com/spywareblaster.html

This won't protect against the type of download you received, but it will against many others. While I haven't used this one personally, many here have.

Also Spybot is a necessary tool in every defensive arsenal these days, we make it a regular part of our cleanup routine here:

http://tomcoyote.org/SPYBOT/

I also see you have no antivirus program on the system. While AVG isn't the best on the web it *might* have caught this one, but the randomized nature of the installation files, makes me doubt it. Still you need something.

http://www.grisoft.com/us/us_dwnl_free.php

In Internet Explorer, you do want to ensure that you have all the Security options set to at least medium, and that the download and scripting of unsigned and unsafe Activex controls is disabled in the Custom Level section of Internet Options > Security.

Finally, if the computer hardware will support it (128 min of ram) and the kids are up to learning the use of a new browser, I would highly recommend switching over to Opera7, it is a lot less vulnerable to security hijacks and other problems than Internet Explorer:

www.opera.com

Both the c:\windows\temp folder and the Internet Explorer Temporary Internet Folder (these are different) should automatically recreate themselves after deletion, when a program needs them.

First, to determine if the location for the Temp folder has changed, open a DOS prompt (just click Start > Run and enter command) and at the c:> prompt enter:

set

What does it say for Temp and TMP ?

Next, open Internet Options and look at the Settings tab for Temporary Internet Files.

What does it say for the locatin of the Temporary Internet Folder? That can be changed through that setting.

The location for the Temp folder, is I believe specified through the registry location (run regedit)

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\exlorer\VolumeCaches\Temporary files