A member of staff contacted me in regards to his Outlook client not connecting to the Exchange server. The obvious quickfix of setting a new profile up kept reporting that Exchange is offline. A quick check the event logs gave quite a few Userenv errors, event ID 1053:
Windows cannot determine the user or computer name. (The RPC protocol sequence is not supported. ). Group Policy processing aborted.
This means that we can’t properly complete the RPC call, and suggests that network communication is having issues. So, let’s see if there’s any other evidence of problems with the machine’s networking. First, let’s see if we can get the machine’s name out of it. Open cmd, hostname:
Well then, problems with the networking stack, let’s do a winsock reset and reset the TCP/IP stack…
Right… so MSWSOCK.dll is broken, just unregister that and reregister…
Ok, winsock totally broken. Let’s work on that first. Nope, turns out that’s apparently normal for both dlls.
However, netsh int ip reset NULL fails with:
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip reset
And the same error I got while trying to do a winsock reset.
Start thinking virus, so Hosts file is good, get and then run a malwarebytes scan, and it comes up with a couple of trojans that it cleans. Unfortunately the problem still persists.
Unfortunately I was still having problems with the RPC protocol sequence error and ran a Combofix scan. It seems that the cause of all this was a rootkit that replaced the TCP/IP stack. Combofix got rid of the rootkit, and moving the MSWSock.dll back and resetting winsock/TCP/IP stack got everything back up to 100%.
Thank you to https://robbiecrash.me for helping me diagnose this issue.