Welcome to SWI! I hope you are still reading this.
The best (in fact, the ONLY) reference on how to write BFU scripts is the RTF file documentation Merijn includes with the BFU.exe download (which I see you say you have read). If you are familiar with shell or batch scripting, it is similar sort of syntax, though with more commands obviously. You sound like you have programming experience.
Where did the checksum entries come from in the script? Are they particular to the spyware?
Yes they are. They just happen to be checksums that match the files of this infection. We know this because we harvest infectors and infected files from users, infect ourselves with them on isolated test systems, and analyze the files for identifying features (filenames, checksums, hex patterns, printable strings, registry behavior, etc.), to use to identify infected files. I didn't write the fix you saw me using, it was by one of our experts LonnyRJones, but that is how in general we come up with these.
Is each BFU script unique to a given computer's problem?
This particular BFU script (the Qoologic one) is unique to the newest Qoologic infection, but it should work on any Windows 2000/XP system.
there were a couple executables that showed up when running in Task Manager's process window and as files on the hard drive, but in Safe mode they disappeared.
That's not really unexpected though is it? The point of Safe Mode is that normal programs listed under normal Run keys in the registry do not execute on boot. I happen to know that one component of the Qoologic infection runs itself via this method, so it would not be active in Safe Mode. (other components, those F2s you saw in your HijackThis log, do not fall prey to this weakness.) Or you might have been seeing other infections that were not running in Safe Mode for the same reason. It is rare for a user to have one infection alone nowadays unfortunately! --- since everything comes in downloader bundles.
Help! I feel like we're losing the war here.
I know what you mean ---- unfortunately you're right. We are losing. And we need all the man- and woman-power we can get. If you are interested in joining the team, we would love to have you; please see The Boot Camp Here
. We train helpers, and if you have development/programming experience there is always use for that too.
Did you want specific help with the infected machines? If so you can post a HijackThis log here and I'd be happy to take a look at it.