Inexplicable analyzed connection found intermittently on Avast!'s Network Shield

Hello, guys, it’s me again. :wink:

I don’t know if this is anything to be concerned about, since Avast! doesn’t detect it as anything amiss, but I was wondering if the following “analyzed connection” on both Avast!'s Network and Web Shields means anything when it seems to happen occasionally and for no apparent reason:

hxxp://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

As far as I know, this site is legit, but nothing on any of my Firefox tabs contain this particular URL in the page source. So I’m wondering why there is an intermittent network connection to this site in the first place. I have yet to isolate a pattern as to when it occurs; it’s just something I happen to catch once in a while when looking at the Network or Web Shield traffic.

Does anyone else have this happen, or does anyone know if there is any kind of malware that could cause this? I’ve been doing boot time scans with Avast! and regular scans with Malwarebytes’ Anti-Malware and SUPERAntiSpyware every few days or so, and they never pick up anything. Yes, I am a bit paranoid and OCD about this. =P

Again, thanks in advance.

What do you mean by “analyzed connection” ?
e.g. is this an error screen or analysed by whom, etc.

I you mean that the web shield and network shields scan it, that isn’t unusual as if you are at a BBC page that has links and activity to that news rss feed or something like that the page would be retrieving data from that page so ‘would rightly’ be scanned.

By “analyzed connection,” I mean the text that shows up below the Shield Traffic graph for the Real-Time Shields. It displays a ratio of “Connections scanned/infected,” and then below that, it says “Last analyzed connection” with the URL that Avast! last scanned (if I’m understanding correctly).

But that’s the thing: I’m not at any BBC pages whatsoever. I rarely visit that site unless directly linked to a news article there by someone. In this case, it just seems to happen for no reason, even though none of the pages I have open in Firefox have any links to that RSS feed. I’ve double-checked by looking at the page source for each of the pages open in my tabs, and none of them make any reference to bbc.co.uk. Which is why this behavior seems a bit odd to me.

Hi karmic justice,

Checking with DrWeb online scanner: hxtp://newsimg.bbc.co.uk/nol/shared/js/nol4.js?v4
File size: 12.45 KB
File MD5: 45aacd0caee9a591213617565c39bd57

htxtp://newsimg.bbc.co.uk/nol/shared/js/nol4.js?v4 - Ok

Checking: htxp://newsrss.bbc.co.uk//js/app/bbccom/bbccom.js%3Fv=1.8.7
File size: 7397 bytes
File MD5: 37feabdaef4559fdea2e5c6d88a46f7f

hxtp://newsrss.bbc.co.uk//js/app/bbccom/bbccom.js%3Fv=1.8.7 - Ok

Checking: hxtp://newsimg.bbc.co.uk/js/app/tools/hide_and_show/hide_and_show.js
File size: 692 bytes
File MD5: 7550ec408901bcc47cbb0791c8552d61

hxtp://newsimg.bbc.co.uk/js/app/tools/hide_and_show/hide_and_show.js - Ok

Checking: hxtp://newsimg.bbc.co.uk/nol/shared/js/csf_2.js
File size: 3096 bytes
File MD5: 77aace73e5c95cba5ca0917ac8be43a5

hxtp://newsimg.bbc.co.uk/nol/shared/js/csf_2.js - Ok

Checking: hxtp://newsrss.bbc.co.uk//js/newsi/latest/newsi.js%3F9
File size: 24.92 KB
File MD5: a071d0d4b00299b7b3a5101b8e690057

hxtp://newsrss.bbc.co.uk//js/newsi/latest/newsi.js%3F9 - Ok

Checking: hxtp://node1.bbcimg.co.uk/glow/gloader.0.1.2.js
File size: 14.95 KB
File MD5: 461dc0dd533e881d9038664f08472f59

hxtp://node1.bbcimg.co.uk/glow/gloader.0.1.2.js - Ok

Checking: hxtp://www.bbc.co.uk/includes/blq/resources/gvl/r61/script/blq_core.js
File size: 10.67 KB
File MD5: f3566735981ac14a4baa78fa8fa67dda

htxp://www.bbc.co.uk/includes/blq/resources/gvl/r61/script/blq_core.js - Ok

Checking: hxtp://newsrss.bbc.co.uk//nol/shared/js/livestats_v1_1.js%3Fnocache=1
File size: 3561 bytes
File MD5: 4996ca1cfe40bc8ddf91c4bf5fa89ff4

hxtp://newsrss.bbc.co.uk//nol/shared/js/livestats_v1_1.js%3Fnocache=1 - Ok

Checking: hxtp://newsimg.bbc.co.uk/nol/ukfs_news/js/av.js?v2
File size: 1767 bytes
File MD5: aac56d66a6893512d3daaad8a4cd41ea

hxtp://newsimg.bbc.co.uk/nol/ukfs_news/js/av.js?v2 - Ok

Checking: hxtp://newsimg.bbc.co.uk/js/app/shared/v2_6/bbc_fmtj.js
File size: 2603 bytes
File MD5: 7ae15fc7ebcaea6680f7c58a10ea25b1

hxtp://newsimg.bbc.co.uk/js/app/shared/v2_6/bbc_fmtj.js - Ok

Checking: hxtp://js.revsci.net/gateway/gw.js?csid=J08781
File size: 3617 bytes
File MD5: a3cb05431a3e1002ff00934d76c55f4f

hxtp://js.revsci.net/gateway/gw.js?csid=J08781 - Ok

Checking: htxp://newsimg.bbc.co.uk/js/app/shared/common/v2_8/bbc_fmtj_common.js
File size: 10.49 KB
File MD5: be69f0c98b2b66ba687d472461b34df4

hxtp://newsimg.bbc.co.uk/js/app/shared/common/v2_8/bbc_fmtj_common.js - Ok

Checking: hxtp://edge.quantserve.com/quant.js
File size: 3219 bytes
File MD5: 30748a7420d4a7fa0651858651425c47

htxp://edge.quantserve.com/quant.js - Ok

Checking: htxp://news.bbc.co.uk/js/app/av/emp/compatibility.js
File size: 1275 bytes
File MD5: bf27823278b0bbd1784bf7d35d083c20

htxp://news.bbc.co.uk/js/app/av/emp/compatibility.js - Ok

Checking: hxtp://fls.uk.doubleclick.net/activityi;src=1767822;type=bbcco201;cat=bbcco862;ord=1?
File size: 331 bytes
File MD5: 381ecd77429ba1ae74f3054632b55aeb

hxtp://fls.uk.doubleclick.net/activityi;src=1767822;type=bbcco201;cat=bbcco862;ord=1? - Ok

Checking: htxp://newsimg.bbc.co.uk/js/app/rss/getrss.js
File size: 1156 bytes
File MD5: 05e214b43c7811177bc700f423eddf3c

htxp://newsimg.bbc.co.uk/js/app/rss/getrss.js - Ok

Checking: htxp://newsimg.bbc.co.uk/js/app/ticker/v1_2_0/ticker.js
File size: 10.14 KB
File MD5: f71de808847abfcffc107ee46632ac4a

htxp://newsimg.bbc.co.uk/js/app/ticker/v1_2_0/ticker.js - Ok

Checking: htxp://newsimg.bbc.co.uk/js/app/av/emp/v11/config.sjson?edition=international&site=news&section=/
File size: 5049 bytes
File MD5: 519f9459e022be9bbf62ee88e81daed6

htxp://newsimg.bbc.co.uk/js/app/av/emp/v11/config.sjson?edition=international&site=news&section=/ - Ok

Checking: htxp://newsimg.bbc.co.uk/js/app/site_wide_alert/site_wide_alert.js
File size: 1479 bytes
File MD5: 75d3c1b41e929fdb018ad9cfc04042cd

hxtp://newsimg.bbc.co.uk/js/app/site_wide_alert/site_wide_alert.js - Ok

Checking: htxp://newsimg.bbc.co.uk/js/app/bookmark/bookmark.js?v1
File size: 866 bytes
File MD5: 94d5571d67cfb5d2c7467e622ee33f1f

htxp://newsimg.bbc.co.uk/js/app/bookmark/bookmark.js?v1 - Ok

Checking: hxtp://newsrss.bbc.co.uk//js/app/bbccom/vs.js
File size: 3333 bytes
File MD5: d94c665ed0d70da6ce74fd9335c4497f

hxtp://newsrss.bbc.co.uk//js/app/bbccom/vs.js - Ok

Checking: htxp://newsrss.bbc.co.uk//js/app/bbccom/adsense_write.js
File size: 2998 bytes
File MD5: bb2670482309cab75dbedb94e91b9f27

hxtp://newsrss.bbc.co.uk//js/app/bbccom/adsense_write.js - Ok

Checking: htxp://newsimg.bbc.co.uk/js/app/radio/aod/radioplayer.js
File size: 303 bytes
File MD5: 20c9b7700b8024febb34356b87c64de1

hxtp://newsimg.bbc.co.uk/js/app/radio/aod/radioplayer.js - Ok

Checking: hxtp://newsimg.bbc.co.uk/js/app/shared/config/v2_13/bbc_fmtj_config.js
File size: 855 bytes
File MD5: 251456c4b01e46fb8a5dbd36d98cb4fa

htxp://newsimg.bbc.co.uk/js/app/shared/config/v2_13/bbc_fmtj_config.js - Ok

Checking: htxp://newsrss.bbc.co.uk
Engine version: 5.0.2.3300
Total virus-finding records: 1224190
File size: 97.27 KB
File MD5: a6b841ee707f73feb384b09e3e8c1968

htxp://newsrss.bbc.co.uk - archive HTML

htxp://newsrss.bbc.co.uk/Script.0 - Ok
hxtp://newsrss.bbc.co.uk/Script.1 - Ok
hxtp://newsrss.bbc.co.uk/Script.2 - Ok
hxtp://newsrss.bbc.co.uk/Script.3 - Ok
hxtp://newsrss.bbc.co.uk/Script.4 - Ok
hxtp://newsrss.bbc.co.uk/Script.5 - Ok
hxtp://newsrss.bbc.co.uk/Script.6 - Ok
hxtp://newsrss.bbc.co.uk/Script.7 - Ok
hxtp://newsrss.bbc.co.uk/Script.8 - Ok
hxtp://newsrss.bbc.co.uk/Script.9 - Ok
htxp://newsrss.bbc.co.uk/Script.10 - Ok
hxtp://newsrss.bbc.co.uk/JavaScript.11 - Ok
hxtp://newsrss.bbc.co.uk/Script.12 - Ok
htxp://newsrss.bbc.co.uk/Script.13 - Ok
hxtp://newsrss.bbc.co.uk/Script.14 - Ok
hxtp://newsrss.bbc.co.uk/Script.15 - Ok
htxp://newsrss.bbc.co.uk/Script.16 - Ok
hxtp://newsrss.bbc.co.uk/Script.17 - Ok
hxtp://newsrss.bbc.co.uk/Script.18 - Ok
hxtp://newsrss.bbc.co.uk/Script.19 - Ok
htxp://newsrss.bbc.co.uk/Script.20 - Ok
hxtp://newsrss.bbc.co.uk/JavaScript.21 - Ok
htxp://newsrss.bbc.co.uk/Script.22 - Ok
hxtp://newsrss.bbc.co.uk/JavaScript.23 - Ok
htxp://newsrss.bbc.co.uk/Script.24 - Ok
htxp://newsrss.bbc.co.uk/Script.25 - Ok
htxp://newsrss.bbc.co.uk/Script.26 - Ok
htxp://newsrss.bbc.co.uk/Script.27 - Ok
htxp://newsrss.bbc.co.uk/Script.28 - Ok
hxtp://newsrss.bbc.co.uk/Script.29 - Ok
hxtp://newsrss.bbc.co.uk/Script.30 - Ok
hxtp://newsrss.bbc.co.uk - Ok Seems clean,
but still the site is suspicious,
because of 1 hidden link:

Thanks so much for taking the time to look into this, Polonus! =)

Ugh, and I thought I had doubleclick.net Adblocked. =P FTR, I use Adblock Plus and NoScript (with very few sites whitelisted), but the former isn’t 100% effective at catching absolutely everything until I’ve reviewed the blockable elements on the page to manually block unwanted stuff, and the latter can’t be 100% effective if I have to temporarily whitelist a page just to perform the simplest function (microsoft.com, I AM LOOKING AT YOU).

At this point, since no scanners are finding anything specific as to what’s causing this behavior, should I just reinstall Firefox from scratch and/or block newsrss.bbc.co.uk to see if that puts an end to it?

Hi karmic justice,

For these reasons I have three add-ons inside Fx or flock browser, ABP and NoScript and also RequestPolicy, the latter can just block third party requests in this line and duty, so excellent in this case install newest release from here:
http://www.requestpolicy.com/ or a previous version from the official Fx add-on site if you feel more comfortable with that: https://addons.mozilla.org/en-US/firefox/addon/9727/
With these three extensions I feel completely secure against the newest online threats, I hope you will be soon too,

kindest regards,

polonus (malware fighter)

;D @ karmic justice

hxxp://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml >>> :smiley: you got this rss feed by default in your Firefox bookmarks, therefore it’s being scanned by Avast; it’s just the feed synchronizing (see “latest headlines”)… :wink:

As I said in my first reply, I believe if you have any RSS feed for bbc news then when you open your browser and have a connection it will check for the latest RSS feed information.

The URL you gave initially gave of hxxp://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml is to subscribe to a live bookmark, see image. Now my guess is that if at some point you already subscribed to this news service/feed then the link refreshes the bookmarked info.

So I would suggest checking your live bookmarks/rss feeds and see if this is in there.

Yes reinstalling firefox should solve this but it is using a sledgehammer to crack a nut.

David, can you read my last post ::slight_smile: thanks. the BBC rss feed is installed by default on all firefox installs >>> see “latest headlines” in the bookmark toolbar

@Logos and @DavidR,

Apart from more issues we detect here thanks to Logos and DavidR, also the suspicious link from the main domain has been found.
Because the suspicious hidden link unmasked parasites undelved for us won’t go away, thanks to @karmic-justice for starting this thread else we had not found it. Just for these reasons this webforum is a formidable and valuable medium. Mind you all we see much and much more of this adware related malcode as avast is reporting since Febr. last , this will be a new unobtrusive way fror the malcreants to have a free ride into the browser and accordingly into our machines, see this general warning: http://windowsteamblog.com/blogs/windowsexperience/archive/2010/04/07/protect-yourself-from-malicious-advertisements-with-internet-explorer-8.aspx

polonus

Yes, but avast isn’t alerting, all the OP is reporting is that the hxxp://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml URL was scanned.

Since there was no visit to the bbc.co.uk domain there is no risk. Not to mention that the doubleclick iframe is most likely gathering stats, but I like many others consider doubleclick.net the devils spawn and have it blocked using adblock plus ;D

@DavidR and @Logos:

Ahhhhh, I hadn’t even thought that it would have stemmed from my default Firefox bookmarks. I’m out and about now (am posting from BlackBerry), but will check when I get home, thanks so much! =) I feel like a derp for not even thinking to check there, but it was just something that never occurred to me.

@Polonus: RequestPolicy sounds like another useful tool, indeed; thanks for the recommendation! =) I will give it a shot as soon as I get home. And while I felt a little foolish over missing that bit in Firefox (the default bookmarks aren’t something I’ve ever much paid attention to, though I now know to be mindful of them), at least now we’re aware of yet another means of delivering ickware to us.

Thanks to all!

yeah, I don’t think either there’s anything malicious (like really malicious). There are iframes everywhere and most of them aren’t malicious. This is the BBC… and this is DoubleClick. Both are known, and I agree about the pretty high probability that it’s nothing more than gathering stats :wink:

Read it:
I haven’t got any on my firefox installation, but then again I generally get rid of this kind of cr*p very early in any browser installation, so I forgot about these default settings.

oh I don’t have it anymore either ;D I just remembered it was always there with the default profile that I launched to take the screen shot :wink: