Lately I found my machine connects to following IP addresses all the time:
5.22.191.154
5.22.191.152
5.22.191.138

Connections are made by following processes:
avastsvc.exe
avastemupdate.exe
instup.exe
firefox.exe
svchost.exe

on port 80 no less…

I did whois research and found that those IPs are registered to Serbia BroadBand-Srpske Kablovske mreze d.o.o.

That was suspicious to me so I blocked those IPs in my router, and now avast update doesn’t work…

So my question is:
Are you hosting updates on those servers? If so, that would explain avastsvc, avastemupdate and instup connections, but then, why firefox and svchost use same IPs too? Is this legit or I have some zeroday exploit installed, because I check my machine regularly with multiple tools and, to my best knowledge, it is clean.

I have another problem that is not that important, it’s more mildly annoying: why avastsvc connections to *.avast.com often stay in CLOSE_WAIT state?

Thank you for your reply.

dont block those. @_@ u clearly see that multiple software are using it. Is Serbia Broadband ur ISP? its possible that its only a redirection or routing). Blocking an antivirus software from updating is stupid. If ur tools are not detecting anything, why do u say that its a zero day exploit? Hand combat it urself if possible.

I don’t want to block avast, I just want to confirm that its use of those servers are legitimate. I find it a little strange that updates are not hosted on some avast domain.

avast has and is using servers all around the world.
Some of them are their own while others are rented.

Some of the servers that avast is using can be found in the file servers.def
Keep in mind that the domain of the servers for update will change.
Today it can be http://w9448963.ivps9tiny.u.avast.com/ivps9tiny while tomorrow it is http://w8873214.ivps9tiny.u.avast.com/ivps9tiny
This is done for security reasons.

Side note, Some ISPs force proxy use for often downloaded content.