So, I was given the task of figuring out why Outlook will not connect to Exchange for an executive. The obvious quickfix of setting a new profile up kept reporting that Exchange is offline. A quick check the event logs, tonnes of Userenv errors, event ID 1053:
Windows cannot determine the user or computer name. (The RPC protocol sequence is not supported. ). Group Policy processing aborted.
This means that we can't properly complete the RPC call, and suggests that network communication is having issues. So, let's see if there's any other evidence of problems with the machine's networking. First, let's see if we can get the machine's name out of it. Open cmd, hostname:
Well then, problems with the networking stack, let's do a winsock reset and reset the TCP/IP stack...
Right... so MSWSOCK.dll is broken, just unregister that and reregister...
Ok, winsock totally broken. Let's work on that first. Nope, turns out that's apparently normal for both dlls.
However, netsh int ip reset NULL fails with:
The following helper DLL cannot be loaded: IFMON.DLL. The following command was not found: int ip reset
And the same error I got while trying to do a winsock reset.
Start thinking virus, so Hosts file is good, get and then run a malwarebytes scan, 3 registry entries that disabled:
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirus\DisableNotify HKLM\SOFTWARE\Microsoft\Security Center\Firewall\DisableNotify HKLM\SOFTWARE\Microsoft\Security Center\Updates\DisableNotify
Working remotely, so I can't run SFC /Scannow after changing those registry keys to 0, to try to rectify the bunged up security centre which no-longer lists AV in its options, since I don't have a CD in the drive. Try running Windows Update, fail. I got error 0x80070424, checked the registry keys, they were both there, so proceeded to reregister the DLLs as detailed in that KB, and ran Windows Update.
Good, that works, so some of the busted DLLs are still registerable.
Futz about a bit more getting nowhere, and decide to run netsh int ip reset on an XP VM, find out what the registry additions and resets are in this KB. Exported them to a registry file, merged them into the registry on the remote computer, created a script to replace the mswsock.dll file in C:\Windows\System32 with the one from C:\Windows\System32\DLLCache and reboot.
Which was when I lost connection to the computer. It was still up and responding to pings, but I couldn't access anything that ran through RPC at this point. So, email the client to let them know what happened, and have someone call there first thing in the morning to try to get it back up and running.
After someone got the machine rebooted, everything came up fine. By fine I mean networking worked properly. However, the cause of all this was a rootkit that replaced the TCP/IP stack. Combofix got rid of the rootkit, and moving the MSWSock.dll back and resetting winsock/TCP/IP stack and reinstalling Office got everything back up to 100%.