BEst inSTall TLl – 49% Detection Rate

Hello readers! If you are a regular here on the FreeFixer blog you know that I’ve been looking on the certificates used to sign files that bundled various types of unwanted software. Today I found another certificate, used by a publisher called BEst inSTall TLl.

BEst inSTall TLl publisher

If you have a BEst inSTall TLl file on your machine you may have noticed that BEst inSTall TLl is displayed as the publisher in the UAC dialog when double-clicking on the file. You can also check the digital signature under the file’s properties. According to the embedded certificate we can see that BEst inSTall TLl is located in Dublin, Ireland and that the certificate is issued by thawte SHA256 Code Signing CA.

BEst inSTall TLl certificate

Thawte has issued the certificate.

BEst inSTall TLl cert chain

So, what does the anti-virus programs say about the BEst inSTall TLl file? No problem, I just uploaded the file to VirusTotal and it turned out that many of the anti-virus programs detects the BEst inSTall TLl file, with names such as NSIS:OutBrowse-DQ [PUP], Downloader.QWU, Gen:Variant.Adware.Mikey.21084, HEUR/QVM30.1.Malware.Gen and Generic PUA AA (PUA).

BEst inSTall TLl anti-virus report

Did you also find a BEst inSTall TLl file? What kind of download was it? If you remember the download link, please post it in the comments below.

Thanks for reading.

Update 2015-08-18: Found another download, also signed by Best Install TLl, claiming to be an episode of a famous TV series. The detection rate for this file was 45%. Notice that the installer does not have any button to cancel the installation.

BEst inSTall TLl installer window