You will not find any difference. That´s the typical behaviour for FF.

If it is malware then it must be network related, either a router or other computer on the network that reinfects on reconnections.
302 redirects still happen but now only on certain searches of Google.
Various scans are negative.

O.K. BSA seems to be working well now.

Thank you for the help Buster, I appreciate it.

Glad to help you.

I always get 'Reghive not found! Please click on restart!' when I press 'Stop analysis'.

What am I doing wrong?

From the pdf usage file within BSA folder.

Note: Automatically delete contents of sandbox must be disabled.

And all processes must be terminated within the sandbox before hitting "Stop analysis"

That option is not turned on. In fact, all the data is still in the directories. I have it point to "C:\Sandbox". Is that correct?

No, it´s not.

From manual:

To start working with BSA you must specify with what sandbox folder you will work. Sandbox folder must be defined at "Sandbox folder to check". If you are not sure of the folder you must specify, follow next steps:

1.- Sandbox NOTEPAD.EXE (any other application will be fine also).
2.- Right click Sandboxie's tray icon.
3.- Select "DefaultBox" or whatever sandbox you want to use.
4.- Click "Explorer Contents". A Windows Explorer window will be opened.
5.- Copy the path from Windows Explorer and paste it in "Sandbox folder to check".

I did exactly that... it opened Windows Explorer at the 'C:\Sandbox' directory.
What should I have it point at then?!?

It should be something like: C:\Sandbox\Something\DefaultBox

You know it´s the correct folder because Reghive and Reghive.log files are there.

XP VM.

Buster can you check that calculator or notepad comes up if run sandboxed where BSA is set to monitor.

If I delete the line "InjectDll=c:\bsa\log_api.dll" then calculator runs ok sandboxed but doesn't come up with that line present.

Tried SB version 3.46 and latest beta.

On a Win 7 VM calculator runs sandboxed with that line present.

Could be my setups?

For some reason I don´t know LOG_API.DLL makes certain applications to crash, like the ones you mention.

Hi Buster,

I wanted to update you and get your thoughts on it, the 302 redirect issue I was having.

While using Sandboxie I started getting 302 redirects after using BSA.
I still don't know what is causing them but have discovered some functions they have.

• 302 redirects appear after surfing.
  
• 302 redirects appear when clicking on a Google result. (FF addons and configuration prevent automatic redirections.)
  
• Delete sandbox does not remove 302 redirects completely, they begin to sporadically appear.
  
• After using Delete Defaultbox and using ATF Cleaner to empty temp files (all Windows temp files) the 302 redirects stop completely until reinfection.
  
• Without cleaning the Windows temp files, 24kb exists inside defaultbox after deletion of Defaultbox. Could suggest restoration from another location (Windows temp), still thinking though.
  

Can MITM create this situation by going around SBIE as opposed to through?

Thanks,

Soupnutzy

Disable System Restore and check.

I dunno, that sounds a lot like a Google redirect virus:
http://www.google.com/support/forum/p/Web+Search/thread?tid=6df7e15519290612&hl=en
http://www.pcmag.com/article2/0,2817,2370676,00.asp

Buster has also suggest an infection.
I do not doubt either of your conclusions, but struggle to understand the reinfection vector.
I wipe and reinstall from manufacturer media, only surfing through Sandboxie and still become infected.
The only explanations I have for this behavior is MITM, firmware infection, targeted network intrusions.
Of the three, MITM and targeted network intrusions are the most likely. Unfortunately I can't check the router for infection.

Running various TDL cleaners, they are terminated quickly after running or , in the case of tdss remover, BSOD.
Virus and anti malware are negative.

I have sent the minidump of the BSOD to Esage Labs but they have not responded yet and there is not a new version since 10/11/10.

@ Buster

I have turned off the restore point, WOW 2+ GB.
I dislike Vista's non-obvious disable method of system restore.
Deleting temp files after a shutdown and restart, revealed 5 MB of temp files.
FF/Sandboxie was empty. No more 24kb presence.

Now I just WAS (wait and see), hoping for TDL warriors to make another charge while I look into reboot to restore softwares.