Support

I assume that you transferred the dev site to the live site using Akeeba Backup. In this case, there is a post restoration configuration step you have to follow on the live site:
1. Remove the .htaccess file
2. Log in to your site's back-end
3. Go to Admin Tools, .htaccess Maker
4. Expand the last slider ("System Configuration")
5. In the two hostname fields, enter the domain name of your live site.
6. Click on "Save and Create .htaccess"

Checkmate :)

Admin Tools does not redirect index.html to index.php, but Joomla! itself essentially does if you have a menu item with an alias of "index". You will, of course, need to have a .htaccess file and you must not have a real file named index.html in your site's root.

Regarding VirtueMart, you may need to follow the advice on this documentation page to figure out if you need any exceptions. You should also turn off the Referer Filtering option in .htaccess Maker - VirtueMart is a bit naughty with the way it handles URLs and my inadvertently trigger that protection if it's enabled.

Regarding the problems you had with viruses, prevention is the best approach. On top of using Admin Tools' .htaccess Maker and the Web Application Firewall you have to ensure that you follow some sane administrative procedures:
1. Make sure you are always using the latest Joomla! 1.5.x release. Anything less and your site can be hacked.
2. Make sure you are using the latest release of all of your extensions (components, modules, plugins and templates). Especially with templates, many webmasters ignore them. Joomla! templates have more PHP code than artwork and are susceptible to vulnerabilities. Template clubs provide updates constantly. For instance, RocketTheme provides updates for its templates once or twice per month. You must install them, otherwise your site may be vulnerable.
3. Follow Joomla!VEL which lists vulnerable extensions. If you have one of the affected versions follow VEL's advice. For example, when we launched Admin Tools 1.1.2 we reported that all previous releases was susceptible to medium priority XSS attacks. VEL added that information on a green row. Green means that the latest version published by the author fixes the issue. Red rows means that there is no known workaround and the extension must be uninstalled.
4. Backup, backup and backup. Use daily (or more frequent) backups to an off-site location. If something goes wrong it's easier to trash the site and restore from a backup than trying to unhack it. Backups are the airbag and seatbelt of your site. You shouldn't ride a site without them ;) There are a lot of backup solutions. There's manual backups, there's Akeeba Backup (obviously!), there's XCloner and, of course, some less featured solutions out there. Pick one that suits your needs.

These are 4 very simple steps that can help you keep your site hack-free for a very long time.

Ah, I typed that one too fast. I meant go to .htaccess Maker, expand the Server Protection slider and set "Anti-leech protection for static resources outside images/stories" to No, then Save and Create .htaccess. The anti-leech protection does referer filtering, hence the wrong mention of the label.

VirtueMart is "special" in more ways than one :) You will certainly need to add more exceptions to the .htaccess Maker (if you use it) to let VM work correctly. IIRC, VM is using direct access to files in the administrator section, even some PHP files, to complete various tasks such as: adding items to the cart using Javascript; removing items from the cart; processing postbacks from payment gateways such as PayPal. It takes a lot of trial and error to get it set up properly.