When I start the avast user interface from the system tray icon, the programm wants to make a https connection to changing IP-adresses. First time it was 74.55.78.91 (5b.4e.374a.static.theplanet.com). After reboot and starting the UI again, it was 209.62.2.75 (ev1s-209-62-2-75.theplanet.com). Another one is 174.123.201.115 (73.c9.7bae.static.theplanet.com)

Until today I could not observe this behavior. But it happened just after I got the system message, that the file \DOKUME~1\ALLUSE~1\ANWEND~1\Alwil Software\Avast5\db1cb279762572cc0-20055c1d.dat is corrupted.

It looks a bit strange to me that the avast software tries to connect to changing IPs.

Is this behavior normal or do I have a problem?

OS: Windows XP SP2, avast program version 5.1.889, virus db 110201-1

http://forum.avast.com/index.php?topic=70183.0

Please read:
Support for Windows XP Service Pack 2 ends on July 13, 2010
http://support.microsoft.com/gp/lifean31

XP SP 3 adds many Critical Updates and performance enhancements

Also see this link:

http://forum.avast.com/index.php?topic=42410.msg355190#msg355190

Thanks for your links to other threads.

Regarding http://forum.avast.com/index.php?topic=70183.0:

This thread is mainly about updating. Updating works fine since a long time without accessing the IPs I mentioned above. The file ‘servers.def’ does not contain the suspicious IPs and domain names. No entry in servers.def starts with https.

Regarding http://forum.avast.com/index.php?topic=42410.msg355190#msg355190:

That means some avast severs are hosted by theplanet.com. But this gives me no guarantee that none of their servers is malicious. The name of nearly all servers in 'servers.def." end with ‘avast.com’. No one is called ‘theplanet.com’ or ‘PRODUCTSUWANT22.COM’. BTW scandoo has stopped their service.

Still I believe something is wrong with my avast program. Either it is infected itself or it collects private data without notice.

I feel pretty uncomfortable.

As written previously, we are using server housing at many locations from many providers. Many servers are at theplanet.com. When we are adding new servers to our farm, we set their reverse DNS record to something.avast.com, but this depends on the provider because of the DNS protocol architecture.
Sometimes it takes longer time to set the DNS record (as it is usually batch of twenty servers), but servers are already used by us for program and virus definitions updates. In that time, they may have the old (as provider is recycling IP addresses, reverse stalls at the name of the previous customer) or default (something.theplanet.com, something.softlayer.com) reverse DNS record.
Also sometimes the reverse DNS record may change because of some administrative error at the provider.
However, avast!'s setup is using signing of files and it uses also signed list of the update servers with direct IP addresses or forward DNS address (which is under our control, so it is set before the server goes public), so it connects always to our servers.