Posted February 24, 20178 yr FPCH Staff User calls me today because his desktop and taskbar were missing some icons. Additionally, his documents are gone. Went over there and found when you open the user's account and click on the documents icon in the left-hand pane, indeed there were no documents. I checked Properties of the Documents library link it and it was pointing to C:\Users\\Temp. The documents were intact and in C:\Users\\Documents where you'd expect them. I redirected the link to the proper folder. When he opened Outlook, it looked as if it were opening for the first time. It wanted to set up his email account. I searched and couldn't find his pst file. I even searched with Show hidden files enabled. I added Word and PowerPoint back to his taskbar. Any idea of what happened? Maybe a disk hiccup. I should have ran chkdsk before I left.
February 24, 20178 yr FPCH Admin It might have helped if you ran Recuva or Everything on it. ~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~~~Robert McCloskey~~
February 24, 20178 yr Author FPCH Staff There was no need. The files were there. Well, except for that pst file. Thinking of it, maybe there are other files missing. Thanks for the suggestion. btw: I'm not familiar with Everything
February 25, 20178 yr "Everything" is brilliant, Tony. I wouldn't be without it. Roses are red, violets are blue, I'm Schizophrenic, and so am I Free Photo Restoration and Repair for all Forum members - CLICK HERE Please pop back and let us know if your Computer problem has been solved.
February 25, 20178 yr Author FPCH Staff I searched the User directory for *.pst. It found some contact pst file that hadn't been modified for a few years. So that wasn't the right pst file. It seems to me that search would have worked. I may return next week and try the Everything app to see what it does.
February 25, 20178 yr FPCH Admin The search everything app works really well. I have it on every computer. Dougie turned me on to it about five years ago. There's even a portable version now. ~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~~~Robert McCloskey~~
February 25, 20178 yr I use Search Everything but I've now also added Agent Ransack too. https://www.mythicsoft.com/agentransack
February 25, 20178 yr FPCH Admin That looks interesting, plodr. ~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~~~Robert McCloskey~~
February 25, 20178 yr Author FPCH Staff Anyone have an idea of why the documents shortcut target, desktop and taskbar got changed? That was my question.
February 25, 20178 yr FPCH Admin Have you checked for malware, Tony? ~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~~~Robert McCloskey~~
February 25, 20178 yr FPCH Admin Also....If there were bad sectors on the hard drive and items were moved...?? ~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~~~Robert McCloskey~~
February 27, 20178 yr Quote when you open the user's account and click on the documents icon in the left-hand pane, indeed there were no documents. I checked Properties of the Documents library link it and it was pointing to C:\Users\<his user name>\Temp. The documents were intact and in C:\Users\<his user name>\Documents where you'd expect them. There was a type of malware that actually did this.... haven't seen it for quite awhile though. In the days that we used OTL, we used to add a custom scan to search for this: Quote %USERPROFILE%\..|smtmp;true;true;true /FP Combofix also searched for this malware and is designed to remove it and move the folders/files back to the original location. The important thing was not to empty the temp files until this malware was removed. That was the reason we changed tactics and stopped emptying the temp files before starting the malware removal process. I'm not saying this is definitely the case here, just that it may be a possibility.
February 27, 20178 yr Author FPCH Staff I'll have to get over there to run a scan. It has Emisosft's AntiMalware.
February 27, 20178 yr Have a look for this folder....SMTMP If it exists, then the malware could be present. Quote This very annoying Trojan virus creates the SMTMP folder in C:\Users\%User\AppData\Local\Temp\ folder and moves to it all files from Start and Desktop folders, basically screwing up users Start Menu and Desktop. It also modifies the moved files with hidden tag, so they are no longer visible to common users (with hidden files hidden in system).
February 27, 20178 yr Author FPCH Staff Thanks Starbuck. There was no SMTMP folder in that directory. I ran an Emsisoft AntiMalware scan this morning. Just some adware - Ask mostly.
February 27, 20178 yr Quote There was no SMTMP folder in that directory. Then I doubt that this malware is responsible then. It could be that something went wrong with the explorer.exe process.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.