Shortcut to Documents library wrong

[Tony D]

User calls me today because his desktop and taskbar were missing some icons. Additionally, his documents are gone. Went over there and found when you open the user's account and click on the documents icon in the left-hand pane, indeed there were no documents. I checked Properties of the Documents library link it and it was pointing to C:\Users\\Temp. The documents were intact and in C:\Users\\Documents where you'd expect them. I redirected the link to the proper folder.

 

When he opened Outlook, it looked as if it were opening for the first time. It wanted to set up his email account. I searched and couldn't find his pst file. I even searched with Show hidden files enabled.

 

I added Word and PowerPoint back to his taskbar.

 

Any idea of what happened? Maybe a disk hiccup. I should have ran chkdsk before I left.

[allheart55 Cindy E]

It might have helped if you ran Recuva or Everything on it.

[Tony D]

There was no need. The files were there. Well, except for that pst file. Thinking of it, maybe there are other files missing. Thanks for the suggestion.

 

btw: I'm not familiar with Everything

[DSTM]

"Everything" is brilliant, Tony. I wouldn't be without it.

[Tony D]

I searched the User directory for *.pst. It found some contact pst file that hadn't been modified for a few years. So that wasn't the right pst file. It seems to me that search would have worked. I may return next week and try the Everything app to see what it does.

[allheart55 Cindy E]

The search everything app works really well.

I have it on every computer.

Dougie turned me on to it about five years ago.

There's even a portable version now.

[plodr]

I use Search Everything but I've now also added Agent Ransack too.

https://www.mythicsoft.com/agentransack

[allheart55 Cindy E]

That looks interesting, plodr.

[Tony D]

Anyone have an idea of why the documents shortcut target, desktop and taskbar got changed? That was my question.

[allheart55 Cindy E]

Have you checked for malware, Tony?

[allheart55 Cindy E]

Also....If there were bad sectors on the hard drive and items were moved...??

[starbuck]

when you open the user's account and click on the documents icon in the left-hand pane, indeed there were no documents. I checked Properties of the Documents library link it and it was pointing to C:\Users\<his user name>\Temp.

The documents were intact and in C:\Users\<his user name>\Documents where you'd expect them.

There was a type of malware that actually did this.... haven't seen it for quite awhile though.

In the days that we used OTL, we used to add a custom scan to search for this:

%USERPROFILE%\..|smtmp;true;true;true /FP

Combofix also searched for this malware and is designed to remove it and move the folders/files back to the original location.

The important thing was not to empty the temp files until this malware was removed.

That was the reason we changed tactics and stopped emptying the temp files before starting the malware removal process.

 

I'm not saying this is definitely the case here, just that it may be a possibility.

[Tony D]

I'll have to get over there to run a scan. It has Emisosft's AntiMalware.

[starbuck]

Have a look for this folder....SMTMP

If it exists, then the malware could be present.

This very annoying Trojan virus creates the SMTMP folder in C:\Users\%User\AppData\Local\Temp\ folder and moves to it all files from Start and Desktop folders, basically screwing up users Start Menu and Desktop.

 

It also modifies the moved files with hidden tag, so they are no longer visible to common users (with hidden files hidden in system).

[Tony D]

Thanks Starbuck. There was no SMTMP folder in that directory.

 

I ran an Emsisoft AntiMalware scan this morning. Just some adware - Ask mostly.

[starbuck]

There was no SMTMP folder in that directory.

Then I doubt that this malware is responsible then.

It could be that something went wrong with the explorer.exe process.