Udp Packets

[rajesh_chd]

Thanks for excellent free anti virus. I installed it a few months back and it was working fine. Though a few days back I applied a rule to my D-Link router's firewall to block all UDP packets except to the DNS Server. Since then I am receiving these entries in my log

 

Jun  6 15:55:07  |  Drop UDP packet from LAN (src:192.168.1.221:58665, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:55:04  |  Drop UDP packet from LAN (src:192.168.1.221:58664, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:55:01  |  Drop UDP packet from LAN (src:192.168.1.221:58664, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:54:16  |  Drop UDP packet from LAN (src:192.168.1.221:54783, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:54:13  |  Drop UDP packet from LAN (src:192.168.1.221:54783, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:54:10  |  Drop UDP packet from LAN (src:192.168.1.221:54782, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:54:07  |  Drop UDP packet from LAN (src:192.168.1.221:54782, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:53:21  |  Drop UDP packet from LAN (src:192.168.1.221:64958, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:53:18  |  Drop UDP packet from LAN (src:192.168.1.221:64958, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:53:15  |  Drop UDP packet from LAN (src:192.168.1.221:64957, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:53:12  |  Drop UDP packet from LAN (src:192.168.1.221:64957, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:52:27  |  Drop UDP packet from LAN (src:192.168.1.221:53217, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:52:24  |  Drop UDP packet from LAN (src:192.168.1.221:53217, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:52:21  |  Drop UDP packet from LAN (src:192.168.1.221:53216, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:52:18  |  Drop UDP packet from LAN (src:192.168.1.221:53216, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:51:33  |  Drop UDP packet from LAN (src:192.168.1.221:58625, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:51:30  |  Drop UDP packet from LAN (src:192.168.1.221:58625, dst:174.129.28.78:53) by firewall rule.
Jun  6 15:51:27  |  Drop UDP packet from LAN (src:192.168.1.221:58624, dst:174.129.28.78:32137) by firewall rule.
Jun  6 15:51:24  |  Drop UDP packet from LAN (src:192.168.1.221:58624, dst:174.129.28.78:32137) by firewall rule.

 

On IP Lookup I found that this address is of amazon.com. A bit concerned, I used tcpview utility to see the active connections and found out that agent.exe is sending these packets. I believe agent.exe belongs to immunet. I want to uninstall the immunet but could not find a link to uninstall. I tried to uninstall it using ccleaner but that hanged in between.

 

Now I have 2 questions

 

1. Why these UDP packets need to go to amazon.com?

2. How to uninstall immunet?

 

Additional information

 

O/S : Windows 7 professional

Immunet version : 2.0.17.48

 

 

Thanks

 

Rajesh

[Guest Orlando]

Hi Rajesh,

 

The IP address associated with amazon.com is : 72.21.194.1 (you can found it here), but I can't help you a lot on this point.

 

For remove Immunet, please use Immunet Protect Removal Tool, and it will do it automatic or run this C:\Program Files\Immunet Protect\2.0.17\uninstall.exe

 

If there are any problems, tell me.

 

Orlando

[millard@immunet.com]

Today Immunet uses Amazon for it's infrastructure. That may change in the future. There has been some protocol changes in 3.0.2: http://forum.immunet.com/index.php?/topic/1104-immunet-302-beta-available/

As for uninstall, there is usually a file in C:\Program Files\Immunet Protect\2.0.17\uninstall.exe or the tool that Orlando pointed out.

[sweidre]

IP Address Strand: 174.129.28 ShareThis

http://www.plotip.com/ip/174.129.28

This IP belongs to Amazon.com,inc., Seattle, Washington, US!

Cheers,

sweidre

[rajesh_chd]

Thanks everyone for responding. I tried to uninstall Immunet as per instructions. Here are the outcomes

 

1. uninstall.exe : Still hangs at "Cleanup agents", does not uninstall

 

2. Uninstall utility : Avira does not allow to open the downloaded file. Avira recognized this as some backdoor trojan.

[ritchie58]

Some anti-virus software will recognize the Immunet Removal Tool as malware. This is a false positive. If you add the removal tool's .exe file to Avira's exclusion list or just temporally disable Avira the uninstaller should work.

[Guest Orlando]

Hi again Rajesh,

 

First open services (START --> in the searchbar type "services.exe" and press enter) in the services stop Immunet Protect Service and open your Task Manager ctrl+shift+esc search iptray.exe and agent.exe and end them. Then run again the uninstall.exe

 

About Immunet Protect Removal Tool, as ritchie58 said, it's a False Positive, so you can disable your Avira product when you use it.

 

Orlando

[Rob.T]

Hi Rajesh, try Revo Uninstaller (http://www.revouninstaller.com). I used it to uninstall a corrupted Immunet 2.0.16 installation yesterday and it did a fairly good job:

 

1) Open an elevated cmd prompt and run "net stop immunetprotect" and "taskkill /IM iptray.exe"

2) Use Revo to uninstall immunet, rebooting as required. Skip the second step where it tries Immunet's uninstaller (i.e. cancel/close Immunet's uninstaller before proceeding with Revo's step 3).

3) After revo is done, go to Add/Remove Programs and remove Immunet if it still exists.

4) Open an elevated cmd prompt and run "sc delete immunetprotect". Run "services.msc" and verify the service for Immunet/ClamAV has been deleted.

5) Done, reboot once more and reinstall the latest version of Immunet

[rajesh_chd]

Thanks for quick and nice support. I have removed old installation and currently downloading latest version(looks at RobT ). Though I would like to clear my doubts about UDP packets. I guess but not sure that these UDP packets are accessing amazon servers for virus signatures. If yes, then I will add rules to my firewall to allow UDP packets to amazon servers. Can someone please provide a list of IP addresses of Amazon servers. Thanks once again.