OOBEOFFER.EXE & Related Files

Hello. I am a long-time Comodo IS user, but a new poster on this forum. I really need help with a problem, and have been unsuccessful in finding answers elsewhere. I hope I have chosen the appropriate place to post this question.

I have just purchased a desktop computer from Acer. It comes with Windows 7 Home Premium, plus a bunch of application software, most of which I don’t want. First off, I uninstalled McAffee and installed Comodo IS (just as on my previous boxes). I also removed Norton Online Backup and Nero 9 burning software.

Now I am using Autoruns.exe to see what programs are automatically loading during Windows startup. I found one called OOTAG.EXE. I traced this back to the directory: C:\Acer\OOBEOFFER. This directory contains not only OOTAG.EXE, but also OOBEOFFER.EXE and OOEXECUTER.EXE.

I have searched the Web for info on these programs, and have found an amazing scarcity of information – almost as if these don’t exist. However, I did find two completely conflicting opinions:

Bestspywarescanner.net says these programs are spyware, and that “they install many infected programs on your computer.” They highly recommended getting rid of them, but suggested it won’t be easy.

Bestregistryscanner.net says these programs “serve as Microsoft’s implementations of the shared library concept in the Microsoft Windows and OS/2 operating system that is designed to act as an executable shared library of functions or data used in OOBEOffer.exe.”

So one source says they are poison, the other says they are essential to Windows. Both sources sound like they are simply trying to sell their own products, so I doubt I can trust either one. Yet I can’t find any info on these programs anywhere else.

Is anyone already familiar with these programs? Are they malware of some sort? If so, what would be involved in totally removing them (and any damage they may have already done)?

I have only had this computer for one week. All I have done with it is remove the three programs mentioned earlier, then install Comodo IS, AVIRA Antivir, and Quicken. I honestly do not know whether the directory and programs in question were on the computer when I received it, or whether they somehow arrived during the uninstalls and installs I just mentioned.

I would greatly appreciate some experienced advice on what to do next. I hate to move along any further with this new machine (installing more apps, etc.) until I deal with this potential threat.

Thanks very much!

Please upload both of these files to both virustotal and CIMA and post a link to the results. From those it should be obvious whether they are malicious or not.

It comes with Windows 7 Home Premium, plus a bunch of application software, most of which I don't want.
I and some other people I know generally just reformant a new computer and put a fresh windows 7 in. All ■■■■ gone and install only what I want


Use “revouninstaller” to remove the programs for you 1 by 1 (I’m sure there’s alot). It’ll remove all the traces :slight_smile:

P.S. When using Revouninstaller, If a software asks to “restart the computer”. DON’T!! Just click restart later. AND CONTINUE ON :slight_smile:

Thanks to Chiron and to jay2007tech for your advice.

Chiron, I will do the uploads and post a link as you suggested. Thanks for your help.

jay2007tech, I would really like to do a format and fresh install of Windows 7, and I thought of doing that right away. The current install, of course, came with the PC. I think I can get Windows 7 Home Premium for about $80. Maybe it would be worth it. I already have revo, although I have limited experience with it. Is it ALWAYS better to use, compared with Windows uninstall or a program’s own uninstaller?

I already have revo, although I have limited experience with it. Is it ALWAYS better to use
When it comes from the factory full of ■■■■ then use revouninstaller
I think I can get Windows 7 Home Premium for about $80
why pay twice ??? You can download the installer from here, Choose the right one (YOU WILL NEED A PROGRAM THAT CAN BURN IMAGE FILES --- .ISO FILE) <---DON'T FORGET THIS http://forums.mydigitallife.info/threads/14709-Windows-7-Digital-River-direct-links-English-Spanish-German-French-X86-amp-X64 SCROLL DOWN UNTIL YOU SEE THE CORRECT ONE

P.S. Don’t forget your product key before reformating, you’ll need to reactivate it. There’s probably a sticker on the computer somewhere

At Chiron’s suggestion, I submitted all three suspicious files to VirusTotal and to CIMA. Both came up empty: VirusTotal showed all blanks, for all scanners. CIMA yielded “Undetected” for each one. This seems to indicate these programs are not malware. Oddly, I finally got a response from Acer online tech support, who told me these are spyware and that I should completely restore my computer to factory configuration. I wonder if they just “Googled” the program names and saw some of the same warnings I did.

I guess I might try just renaming the programs temporarily, to see if they are really needed or not.

Meanwhile, thanks, again, Chiron.

And thanks to jay2007tech for the tips on revo and how to re-install Windows 7. I had no idea that could be done. I’m sure that will really come in handy.

Appreciate all the help!

Oddly, I finally got a response from Acer online tech support, who told me these are spyware and that I should completely restore my computer to factory configuration.
Based on my experiance, Acer propably has a back-up of everything installed from the factory. WHICH MEANS, If you do a complete restoration to factory configuration THEN ALL THE TIME AND EFFORT YOU TOOK TO REMOVE THE FACTORY ■■■■ THAT YOU UNINSTALLED INCLUDING WHAT'S BEEN REMOVED WITH "REVOUNINSTALLER" WILL COME BACK :-TD

Besides, that sound like a stardard response (they propably required to say that)
My question is, Did they thoroughly examine your computer??? (Example) Like comparing the checksums of the files and compare it to the ones at the factory!!!

My advice is, if you ever finally remove all the factory ■■■■ on there, Create a complete backup image of your computer and use that one for restoration if one day your computer becomes corrupted . *Bonus points If you reformat the computer and install everything YOU want on there before creating a complete backup copy :slight_smile: <–Of course those are just bonus points and are not required :wink:

I had no idea that could be done.
All good, If there is anything you like to know(even if your not sure it can be done or need help) Just ask. >:-D

Well not true for me Acer Aspire.

Had a nice suprise the factory disc I created with there program had no rubbish left all gone just the basics :slight_smile:

The only pain was it did not install all the drivers :frowning:


FWIW it seems as if the only mentions of this on the Internet are for Acer and Gateway computers … since Gateway is made by Acer, I wonder if it isn’t factory installed, and related to the free trial offers of software.

Mine is in

C:\Program Files (x86)\Gateway\OOBEOffer\OOTag.exe

But others mention

C:\Program Files (x86)\Acer\OOBEOffer\OOTag.exe

C:\Program Files (x86)\Gateway\OOBEOffer\res\ThirdParty has McAfee and Norton folders. This all seems rather cumbersome for a malware, bloatware seems more likely. And none of the files trigger alerts.

The websites that come up in a Google search on this (and some you quoted) seem IMO to be just spam sites trying to drum up business or worse, so I’m not sure they’re reliable.

Anyway, definitely kill the startup of OO Tag. No obvious use I could see for this. Though if you are using the free trials, it may be needed. Or, it may track whether someone has used their free trial.

Best Spyware Scanner is so a rogue. Why would you name your anti virus Best Spyware Scanner? I would recommend you ignore this.
Site report:
ParetoLogic Malware site
Virustotal report:
NOD32 5700 2010.12.13 a variant of Win32/Adware.SpywareCease
The so-called mcafee secure on their website is also false and thus it is a definite rogue website.
Also look at one of the users of siteadvisor and what they said:
This site provides fake reviews of Windows processes, labeling many legitimate processes as viruses in order to promote its “spyware scanner” product.