More user info needed for avast! Mac Edition 2.74 + _THELA~2 PDF

[vastus]

On Dec 29 2008 I experienced an “attack” on my mac, the malware downloaded onto an installed USB stick (flash drive).  The "attack" opened a Word document on the USB stick and downloaded a file directly onto the stick (somehow bypassing the default setting that all downloads go to downloads folder on HD).  The downloaded file was named "_THELA~2 PDF".  I found it on my USB stick.  It had a last modified date of 20/10/2008.  I viewed it from "Quick Look" option in Trash menu, then emptied Trash.  Finder described it as a PDF but I am advised that hackers can make non-PDF files appear as PDFs.  I had never seen the file before.  The top page (which is all you get to view in Quick Look) was a picture of a child with a circular stamp (the instrument) super imposed to one side of the picture.  The child appeared to be of South American or Northern European (indigenous) origin.
The "attack" came completely by surprise.   The only installation downloads I have made are the upgrades for Microsoft Office 2008 and all the Apple software updates, which I access directly from Apple and Microsoft (not via third party links).  I have never made a third party installation of anything.  The only other installations on my machine were Adobe 9.0 (which wasn't used because I decided I preferred Preview; I have now uninstalled Adobe) and Firefox 3.0 (which I never ran because I couldn't easily decipher how to set it for equivalent or higher security than Safari; I permanently run Safari in Stealth mode).  I have never encountered a third party request to update Adobe Flash or Firefox or anything else. 
I don't have Microsoft Windows installed.
At the time of the "attack" these applications were open:  Safari, and a Word document on another USB stick (in the other USB port) was open.
The "attacked" USB stick was just sitting in the port waiting to take a (backup) copy of the Word document when I finished my session.
Using Safari I arrived at a news item page from Australia's public broadcasting corporation (via a link from another very reputable Australian commercial site) but Safari's spinning ball kept going long after the page had loaded.  While the ball was spinning the "attack" was happening.
I took both USB sticks to the local library and ran each twice through their avast! virus scan (on PC, no Mac available at library).  Nothing was found on either stick.  I emptied the PDF from Trash and replaced the Word document with the original copy (from the other USB stick) before the scan.   When I next moved a new Word document onto the "attacked" USB stick (for backup) the name of the document was changed from "Angular Cheilitis" to ANGULA".  I gather there was still some sort of malware on the stick that avast! scan at library did not find.  For the sake of $12 for a new stick I physically trashed the stick.  I didn't open any documents on the USB stick after the "attack" so I appear to have kept the malware isolated to the stick.  My computer and the other stick are acting normally.  I now have Little Snitch 2 installed and there does not appear to be any unwanted messages attempting to leave my computer.  I find Little Snitch 2 reassuring and not intrusive.
I also downloaded avast! Mac Edition 2.74 from apple.com downloads.  I did a full scan of the HD and remaining USB stick; no viruses were found.  I made telephone contact with the Australian company associated with avast.com.au.  The man I spoke with was very generous with his time but said they rely on this forum to get most of their info, especially about the Mac Edition.  I downloaded avast! with some confidence in it because the local library use it, however, without better user information I am unsure whether I am getting decent virus protection.  I have no idea what I should put in "Default scan locations"; I currently have Documents, Downloads, Desktop and Pictures in there.  I have no idea whether Web Shield is a part of the Mac Edition and whether I am getting ongoing protection as I search with Google.  Should I have some applications routinely scanned at launch?  etc. etc. 
After 60 days trial I need to pay.  Without better user support that is unlikely to happen.
Cheers
vastus

[zilog]

On Dec 29 2008 I experienced an “attack” on my mac, the malware downloaded onto an installed USB stick (flash drive).  The "attack" opened a Word document on the USB stick and downloaded a file directly onto the stick (somehow bypassing the default setting that all downloads go to downloads folder on HD).  The downloaded file was named "_THELA~2 PDF".  I found it on my USB stick.  It had a last modified date of 20/10/2008.  I viewed it from "Quick Look" option in Trash menu, then emptied Trash.  Finder described it as a PDF but I am advised that hackers can make non-PDF files appear as PDFs.  I had never seen the file before.  The top page (which is all you get to view in Quick Look) was a picture of a child with a circular stamp (the instrument) super imposed to one side of the picture.  The child appeared to be of South American or Northern European (indigenous) origin.
The "attack" came completely by surprise.   The only installation downloads I have made are the upgrades for Microsoft Office 2008 and all the Apple software updates, which I access directly from Apple and Microsoft (not via third party links).  I have never made a third party installation of anything.  The only other installations on my machine were Adobe 9.0 (which wasn't used because I decided I preferred Preview; I have now uninstalled Adobe) and Firefox 3.0 (which I never ran because I couldn't easily decipher how to set it for equivalent or higher security than Safari; I permanently run Safari in Stealth mode).  I have never encountered a third party request to update Adobe Flash or Firefox or anything else. 
I don't have Microsoft Windows installed.
At the time of the "attack" these applications were open:  Safari, and a Word document on another USB stick (in the other USB port) was open.
The "attacked" USB stick was just sitting in the port waiting to take a (backup) copy of the Word document when I finished my session.
Using Safari I arrived at a news item page from Australia's public broadcasting corporation (via a link from another very reputable Australian commercial site) but Safari's spinning ball kept going long after the page had loaded.  While the ball was spinning the "attack" was happening.
I took both USB sticks to the local library and ran each twice through their avast! virus scan (on PC, no Mac available at library).  Nothing was found on either stick.  I emptied the PDF from Trash and replaced the Word document with the original copy (from the other USB stick) before the scan.   When I next moved a new Word document onto the "attacked" USB stick (for backup) the name of the document was changed from "Angular Cheilitis" to ANGULA".  I gather there was still some sort of malware on the stick that avast! scan at library did not find.  For the sake of $12 for a new stick I physically trashed the stick.  I didn't open any documents on the USB stick after the "attack" so I appear to have kept the malware isolated to the stick.  My computer and the other stick are acting normally.  I now have Little Snitch 2 installed and there does not appear to be any unwanted messages attempting to leave my computer.  I find Little Snitch 2 reassuring and not intrusive.
I also downloaded avast! Mac Edition 2.74 from apple.com downloads.  I did a full scan of the HD and remaining USB stick; no viruses were found.  I made telephone contact with the Australian company associated with avast.com.au.  The man I spoke with was very generous with his time but said they rely on this forum to get most of their info, especially about the Mac Edition.  I downloaded avast! with some confidence in it because the local library use it, however, without better user information I am unsure whether I am getting decent virus protection.  I have no idea what I should put in "Default scan locations"; I currently have Documents, Downloads, Desktop and Pictures in there.  I have no idea whether Web Shield is a part of the Mac Edition and whether I am getting ongoing protection as I search with Google.  Should I have some applications routinely scanned at launch?  etc. etc. 
After 60 days trial I need to pay.  Without better user support that is unlikely to happen.
Cheers
vastus

Hallo,

the full scans tends to take hours to complete, and thus, here's the "default scan location" option. typically, select only directories, where new (and potentially infected) stuff arives. On Mac version, there's no webshield, but, on-access will report all dropped files from the Safari.

It's posible, that the malware issomething yet-unknown, then, you should send it to virus@avast.com for analysis. If you need more than 60 days of trial, you can participate in testing of the beta-engine (which works without license for longer period, see the post below in this forum).

regards,
pc

[vastus]

Thank you for your reply zilog. 
Your answer isn’t all that helpful to me because I am clueless about what directories on my computer are vulnerable.  From your reply I gather that I probably have sufficient directories in “default scan location” because currently I am a very unsophisticated user of my computer.  The only applications I currently use are MS Office 2008 for Mac Word and PowerPoint, and Apple Preview and Safari.  Downloads by default should come into Downloads folder on HD.  I have used Photo Booth and there are pictures stored in Pictures folder.  So far I haven’t launched any other Apple applications.  However, Little Snitch often asks for permission to allow Apple, or the notebook, to connect to various ports, most of which I allow because they appear to be genuine URL addresses but I have no idea whether some of these ports should be part of default scan. 
I read some comments about the beta-engine during my browse through avast.com yesterday.  It appears people are having some problems with it.  I’m not competent or knowledgeable about IT, and I do not have sufficient time to participate in online discussion forums in order to solve lots of technical problems.  I just want something that I can rely on to do its job and I am prepared to pay for that.  At the moment I am inclined to try one of the other virus protection products available for download from apple.com and see if their user info is more helpful to me. 
I don’t mean this to be a negative post.  I think a lot of IT firms fail to understand that what is S I M P L E to a techno wiz is C O N F U S I N G to most of us.  The feedback from this post for avast is that avast has a potential customer who is planning to take her business somewhere else.  Perhaps I will find other virus-ware providers are just as bad at providing understandable (for the confused) support, but I won’t know if I don’t try.
Thanks again for your reply.
Unfortunately I literally physically destroyed the “attacked” USB stick so there is nothing to send to avast for analysis.
Cheers
vastus

[zilog]

Thank you for your reply zilog. 
Your answer isn’t all that helpful to me because I am clueless about what directories on my computer are vulnerable.  From your reply I gather that I probably have sufficient directories in “default scan location” because currently I am a very unsophisticated user of my computer.  The only applications I currently use are MS Office 2008 for Mac Word and PowerPoint, and Apple Preview and Safari.  Downloads by default should come into Downloads folder on HD.  I have used Photo Booth and there are pictures stored in Pictures folder.  So far I haven’t launched any other Apple applications.  However, Little Snitch often asks for permission to allow Apple, or the notebook, to connect to various ports, most of which I allow because they appear to be genuine URL addresses but I have no idea whether some of these ports should be part of default scan. 
I read some comments about the beta-engine during my browse through avast.com yesterday.  It appears people are having some problems with it.  I’m not competent or knowledgeable about IT, and I do not have sufficient time to participate in online discussion forums in order to solve lots of technical problems.  I just want something that I can rely on to do its job and I am prepared to pay for that.  At the moment I am inclined to try one of the other virus protection products available for download from apple.com and see if their user info is more helpful to me. 
I don’t mean this to be a negative post.  I think a lot of IT firms fail to understand that what is S I M P L E to a techno wiz is C O N F U S I N G to most of us.  The feedback from this post for avast is that avast has a potential customer who is planning to take her business somewhere else.  Perhaps I will find other virus-ware providers are just as bad at providing understandable (for the confused) support, but I won’t know if I don’t try.
Thanks again for your reply.
Unfortunately I literally physically destroyed the “attacked” USB stick so there is nothing to send to avast for analysis.
Cheers
vastus

Hallo,
exactly those directories, where new files appear (and this is nothing general because it depends on your personal setting). For most users, it's Safari's download location (Desktop by default), Documents, or their home directory entirely (or flash/usb volume, etc.).

regards,
pc