Shortcut to Documents library wrong

Tony D

Super-Moderator
Jan 18, 2016
SE Pennsylvania, USA
Thread starter Admin #1
User calls me today because his desktop and taskbar were missing some icons. Additionally, his documents are gone. Went over there and found when you open the user's account and click on the documents icon in the left-hand pane, indeed there were no documents. I checked Properties of the Documents library link it and it was pointing to C:\Users\<his user name>\Temp. The documents were intact and in C:\Users\<his user name>\Documents where you'd expect them. I redirected the link to the proper folder.

When he opened Outlook, it looked as if it were opening for the first time. It wanted to set up his email account. I searched and couldn't find his pst file. I even searched with Show hidden files enabled.

I added Word and PowerPoint back to his taskbar.

Any idea of what happened? Maybe a disk hiccup. I should have ran chkdsk before I left.
 

Tony D

Super-Moderator
Jan 18, 2016
SE Pennsylvania, USA
Thread starter Admin #3
There was no need. The files were there. Well, except for that pst file. Thinking of it, maybe there are other files missing. Thanks for the suggestion.

btw: I'm not familiar with Everything
 

Tony D

Super-Moderator
Jan 18, 2016
SE Pennsylvania, USA
Thread starter Admin #5
I searched the User directory for *.pst. It found some contact pst file that hadn't been modified for a few years. So that wasn't the right pst file. It seems to me that search would have worked. I may return next week and try the Everything app to see what it does.
 

starbuck

Malware Removal Specialist - Administrator
Jul 16, 2014
Admin #12
when you open the user's account and click on the documents icon in the left-hand pane, indeed there were no documents. I checked Properties of the Documents library link it and it was pointing to C:\Users\<his user name>\Temp.
The documents were intact and in C:\Users\<his user name>\Documents where you'd expect them.
There was a type of malware that actually did this.... haven't seen it for quite awhile though.
In the days that we used OTL, we used to add a custom scan to search for this:
%USERPROFILE%\..|smtmp;true;true;true /FP
Combofix also searched for this malware and is designed to remove it and move the folders/files back to the original location.
The important thing was not to empty the temp files until this malware was removed.
That was the reason we changed tactics and stopped emptying the temp files before starting the malware removal process.

I'm not saying this is definitely the case here, just that it may be a possibility.
 

starbuck

Malware Removal Specialist - Administrator
Jul 16, 2014
Admin #14
Have a look for this folder....SMTMP
If it exists, then the malware could be present.
This very annoying Trojan virus creates the SMTMP folder in C:\Users\%User\AppData\Local\Temp\ folder and moves to it all files from Start and Desktop folders, basically screwing up users Start Menu and Desktop.

It also modifies the moved files with hidden tag, so they are no longer visible to common users (with hidden files hidden in system).
 

starbuck

Malware Removal Specialist - Administrator
Jul 16, 2014
Admin #16
There was no SMTMP folder in that directory.
Then I doubt that this malware is responsible then.
It could be that something went wrong with the explorer.exe process.
 
Top Bottom