RPC protocol sequence is not supported

A member of staff contacted me in regards to his Outlook client not connecting to the Exchange server. The obvious quickfix of setting a new profile up kept reporting that Exchange is offline. A quick check the event logs gave quite a few Userenv errors, event ID 1053:

Windows cannot determine the user or computer name. (The RPC protocol sequence is not supported. ). Group Policy processing aborted.

This means that we can’t properly complete the RPC call, and suggests that network communication is having issues. So, let’s see if there’s any other evidence of problems with the machine’s networking. First, let’s see if we can get the machine’s name out of it. Open cmd, hostname:

Application popup: hostname.exe - Entry Point Not Found : The procedure entry point s_perror could not be located in the dynamic link library MSWSOCK.dll.

Well then, problems with the networking stack, let’s do a winsock reset and reset the TCP/IP stack…

The procedure entry point MigrateWinsockConfiguration could not be located in MSWSock.dll

Right… so MSWSOCK.dll is broken, just unregister that and reregister…

mswsock.dll was loaded, but the DllUnregisterServer entry point was not found

Ok, winsock totally broken. Let’s work on that first. Nope, turns out that’s apparently normal for both dlls.

However, netsh int ip reset NULL fails with:

The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip reset

And the same error I got while trying to do a winsock reset.

Start thinking virus, so Hosts file is good, get and then run a malwarebytes scan, and it comes up with a couple of trojans that it cleans. Unfortunately the problem still persists.

Try running Windows Update, fail. I got error 0×80070424, checked the registry keys, they were both there, so proceeded to reregister the DLLs as detailed in that KB, and ran Windows Update.

Unfortunately I was still having problems with the RPC protocol sequence error and ran a Combofix scan. It seems that the cause of all this was a rootkit that replaced the TCP/IP stack. Combofix got rid of the rootkit, and moving the MSWSock.dll back and resetting winsock/TCP/IP stack got everything back up to 100%.

Thank you to https://robbiecrash.me for helping me diagnose this issue.

Advertisements

One thought on “RPC protocol sequence is not supported

  1. Pingback: RPC protocol sequence is not supported | Chistoso Para Adsense

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s