May 5, 2001
10:20 PM   Subscribe

I need your help in figuring out why I saw two pop-up windows when visiting several times in the past week: the usual one for Amazon's most recent promotion, and one for one of their competitors. If you see a DealTime pop-up ad while visiting, please help me figure out how it got there. I think something insideous might be going on, but I'm having difficulty re-acquiring the pop-up.

Please see more details inside if you're interested, otherwise you can ignore this. I'll post the results under a separate thread if they're interesting.
posted by dan_of_brainlog (35 comments total)
It seems peculiar that would host a pop-up ad for a competitor-- I thought I saw one DealTime ad say they could get me a better price than what I was looking at, but I didn't have time to read it closely before I instinctively closed the window. So I asked an Amazon friend of mine about the ad, and was assured 1) that Amazon would never host that kind of advertising, 2) that Amazon is very strict about using JavaScript and anything else of that sort, and 3) that Amazon has very tight in-house security monitoring their own pages for unauthorized bad things. I asked about the ad only after we had just closed it, and we couldn't recreate it, even after clearing out cookies and the cache, and restarting the computer.

When I realized the ad was particularly suspect, I remembered that the pop-up window did not have an icon in the upper-left corner-- which all Internet Explorer for PC browser windows (and most app windows in general in Windows) have. That is, if JavaScript opened the window in a traditional way, that icon would be there. Only an ActiveX thingy, or *gasp* another application or plug-in would open a window like that. Right?

It seems like that either something snuck in from the page I was on before, a page of my own design hosted by DreamHost; or something snuck in from, perhaps a domain hijacking; or Amazon served it intentionally, highly unlikely and no evidence in the source of the pages; or, perhaps, that Microsoft served it through the browser software itself? But I've only seen the ad on Amazon's site, so they would have had to be tricky.

Any thoughts? Is anyone else getting the ad? Am I wasting everyone's time?
posted by dan_of_brainlog at 10:38 PM on May 5, 2001

I had something odd like that happen recently. Some adware got installed when I downloaded the latest version of Bearshare, and I started getting popups even when I wasn't using the web - and it wasn't even one of those "stealth 1x1" windows... that may be it.
posted by owillis at 10:42 PM on May 5, 2001

Did you visit dealtime before you went to amazon?
posted by rdr at 10:48 PM on May 5, 2001

I remembered something similar happening to me when I was at Amazon earlier this week, so I went to the Amazon site again just now, and I got the Dealtime pop up ad!

It says something like "Stop, you're paying too much!" and provides a link to Dealtime. Weird.
posted by sanitycheck at 10:54 PM on May 5, 2001

OK, even better, I *just* checked amazon and...a pop-up for...BARNES&NOBLE came up! Granted, I am not using my PC right now, so perhaps there's something up with my friend's PC...but....
posted by kphaley454 at 10:57 PM on May 5, 2001

owillis: Ah, that might be it right there. I installed BearShare a couple of weeks ago (after it was recommended in a MetaFilter thread). Can anyone else confirm this? Will uninstalling BearShare ditch the ad?

sanitycheck: BearShare installed?

rdr: I've never heard of DealTime before I started seeing these ads. Now I hate them. :)
posted by dan_of_brainlog at 10:58 PM on May 5, 2001

This Mac user has been to Amazon multiple times in the last week, and I've never gotten any popups for anything but Amazon. So maybe it is Windows-specific adware.
posted by aaron at 11:09 PM on May 5, 2001

Don't hate DealTime. We don't know if they're responsible for the pop-up yet. It seems strange that both they and B&N would be running ads over Amazon's site. Plus, and I'm going to sound like a flack here, they will generally get you better prices and have a much better chance of finding used or out of print books than Amazon. Let us know if uninstalling BearShare gets rid of the ads.
posted by rdr at 11:14 PM on May 5, 2001

As I recall, you don't need to unistall Bearshare, just the OnFlow plugin it installs. That is the adware that could be causing this, not Bearshare itself.
posted by antispork at 11:26 PM on May 5, 2001

This Mac user has been getting annoying background pop-ups for X10 video cameras at an incredible number of sites, however.
posted by kindall at 12:05 AM on May 6, 2001

I need your help in figuring out why I saw two pop-up windows when visiting several times in the past week:

You whine too much.
posted by Bag Man at 1:12 AM on May 6, 2001

Are you using any browser companion like Gator, which has an application called OfferCompanion that when you go to a shopping site, it pops up a window and offers a deal in a competitors site. So companies like B&N or DealTime may have their deals pop up when the user of the OfferCompanion visit the Amazon web site.
I am not using the software myself though, so i don't really know how exactly it works. I read all about these stuff in an article somewhere which I couldn't find again.
posted by Yeet at 2:01 AM on May 6, 2001

kindall, I've seen those on Mac MSIE 5 as well - any clues what might be causing it?
posted by m.polo at 7:39 AM on May 6, 2001

Here's a pretty comprehensive list of adware, malware, and spyware, with some links to removal programs and methods.
posted by dhartung at 9:46 AM on May 6, 2001

Here's a pretty comprehensive list of adware, malware, and spyware, with some links to removal programs and methods.
posted by dhartung at 9:46 AM on May 6, 2001

I did install BearShare a week or two ago. I wasn't particularly impressed with it and had already uninstalled it, but apparently it left behind the Onflow plugin.

Now I've uninstalled Onflow, but I still seem to be getting the Dealtime pop-up when I go to Amazon. Argh.

The only other thing that's changed with my web browsing setup recently (as far as I know...) is that I started using Webwasher. And it seems rather unlikely that this would be related to the Dealtime ad problem (though it would be ironic).
posted by sanitycheck at 10:08 AM on May 6, 2001

The only awkward popup I've seen on Amazon recently is this one:

(Warning: adult-themed book title)
posted by CrayDrygu at 11:36 AM on May 6, 2001

kindall, I've seen those on Mac MSIE 5 as well - any clues what might be causing it?

What's causing it is the specific sites you're visiting are being sponsored by that advertiser, I think.
posted by kindall at 11:45 AM on May 6, 2001

Here's where the ad is located.

I did some digging around, having been affected myself. It turns out the application spawns SAVENOW.EXE from c:\Program Files\SaveNow. Some excerpts from the ReadMe.TXT file:

Dear SaveNow User -
SaveNow was probably installed on your computer as a co-bundle with other software that you downloaded from the Internet.


SaveNow is a program that gives you relevant offers and tells you about other similar sites when you surf the web.

If you run the Uninst.exe program in that directory, you should stop getting the annoying popups. It seems to have worked for me.

Hooray for WinTOP!
posted by frenetic at 11:52 AM on May 6, 2001

Thanks for your help, all. Indeed, it was SaveNow that was installed on my computer, and I was able to use Add/Remove Programs to get rid of it.

For those who don't see what the big deal is, let's get something straight: When I install ad-supported software, I expect the software to make it clear to me that it is the product sponsored by the ads I'm seeing, and that I only see those ads when I'm using that software. Just like I expect my word processor not to delete all the files on my hard drive, or my video game to not send the contents of my browser history to a user profile clearinghouse. SaveNow is a trojan horse in every respect, and whoever is responsible for its presence on my computer has violated my privacy and my proptery.

SaveNow is particularly bad because the pop-up ad does not provide any way to determining that a program called "SaveNow" is the cause, or otherwise inform the user how to get rid of the ads. I'm a little surprised that there even was a SaveNow entry in Add/Remove Programs. In contrast, while Comet Cursor is trying to sneak e-commerce functionality onto computers by having popularized the plug-in before it had that functionality, then issuing an automatic update to put it in, it is clear at every step of the way that Comet is the source, and if I didn't want that functionality I can just uninstall the plug-in.

There are consumer protection issues here, as well. A mainstream user would not know how to do anything of what we just did. If you'll forgive the melodrama of this analogy: it's like trying to find an antidote to a chemical added to store-bought food that wasn't properly labelled, after the food has been consumed.

I expect that whatever happens on my computer when I visit a web site to be limited to within the confines of the browser environment, and caused entirely by the site that I'm visiting. I don't mind the two pop-up ads if they were both served with's authorization. But they weren't. I would hope even the industry would be against these tactics. And I hope you are, too.
posted by dan_of_brainlog at 1:38 PM on May 6, 2001

I don't have SaveNow, but I do get these screens. Did a little digging and found out that a program called "webHancer" was installed on my computer without me knowing, and it has the same text in the ReadMe file.

This is also a trojan horse, as it says it sends information back to the company that spawned it.

I'm wondering where these are coming from. I haven't installed or used BearShare; in fact, I formatted my hard drive not a week ago.
posted by SpecialK at 5:16 PM on May 6, 2001

SaveNow definitely comes from BearShare. It's in the list of things it installs and is a required installation, along with some domain registration thing. If you deselect it and try to install, it says "Please support this free software", etc.

This page has some information on how to get rid of Webhancer. The buzz is that just trying to uninstall it breaks your Windows. I couldn't find a list of software it comes with, but it's apparently in Audiogalaxy Satellite if you happen to use that.
posted by frenetic at 6:57 PM on May 6, 2001

BearShare is supporting these things, which I noticed when I downloaded. Did not continue installation, but somehow the SaveNow appeared anyways.

[slightly offtopic] I also don't like that it wants to install extensions, which I think are a load. How they think they can make their own registry is beyond me. What is stopping anyone from doing this? Sigh. Net is going to hell. [/slightly offtopic]
posted by benjh at 7:28 PM on May 6, 2001

As for the Barnes & Noble ad, didn't they sell out to Amazon?
posted by aladfar at 8:09 PM on May 6, 2001

Borders joined up with Amazon.
posted by owillis at 8:19 PM on May 6, 2001

If this is true, it's a reason for me to never consider trying BearShare again.

Has anyone been having memory problems since they installed BearShare (and hence onflow)? Since I installed (and uninstalled) it, I've found myself having to restart my computer every couple of hours.

For the record, I don't use, but just went there and got the DealTime window.
posted by mrbula at 9:10 PM on May 6, 2001

Has anyone determined the source of those annoying X10 camera ads, or is it a traditional pop up ad and not assisted by any software?

posted by rmannion at 10:58 PM on May 6, 2001

mrbula: Oh my gawd! You too?

My particular problems have been gradually degrading response, then explorer.exe (the Desktop) crashes. I'm in Win2k, so I can use Task Manager to kill it and restart it (with some missing system tray icons).

It now also takes ten seconds for a browser window to open to my home page, even when my home page is set to blank. I don't recall having these problems before installing BearShare, though I never made a connection until now. If this is also due to BearShare, I'm gonna... COMPLAIN SOME MORE!

rmannion: I saw the X10 pop-up in at least one place today, but it looked like a browser window, so it was probably served by whatever site that was. I'll double-check next time I see it.
posted by dan_of_brainlog at 11:26 PM on May 6, 2001

I have been wondering why I have been getting these ads as well. I have been getting them at the Australian version of Yahoo recently. I just looked and I have Save Now installed on my computer, and I'm pretty sure that BearShare is the only program that could have installed it for me, and I'm pretty pissed off about that.
posted by benricho at 1:55 AM on May 7, 2001

I have confirmed that SaveNow is what was causing explorer.exe to crash, and Internet Explorer to load slowly. I am very, very glad to be rid of that.

This illustrates another serious issue with trojan software, especially such software that runs constantly in the background: Software can be poorly written and have bugs. If I don't know what software is installed on my computer, it's that much more difficult to diagnose problems. I would also expect any company that thinks it's OK to sneak software onto someone's computer to be writing crappy software to begin with, but I suppose that's just me being judgemental.

(rmannion: I got an X10 ad from the L.A. Times, if you're still interested. It was browser-spawned.)
posted by dan_of_brainlog at 2:13 AM on May 7, 2001

BearShare is now known as BewareShare. Vinnie's response is kind of interesting.
posted by dan_of_brainlog at 2:16 AM on May 7, 2001

In your hosts file, add the line:

That will alleviate you from x10 ads at CNN, Chicago Tribune, and whatever other top-level sites they rope into their evil net of promotion.
posted by dhartung at 5:46 AM on May 7, 2001

It's probably OnFlow. Bearshare installs it by default.
posted by grambo at 9:08 AM on May 7, 2001

webHancer comes with any number of products, most notably AudioGalaxy Satellite. I downloaded AudioGalaxy a few weeks ago, and when I saw it had installed webHancer, I attempted to uninstall it. Then, however, every time any program would attempt to access the Net (regardless of how many times I rebooted) the program would crash due to an error in an unseen DLL.

After FOUR HOURS of wrestling with driver and software (un|re)installation, I reinstalled AudioGalaxy and webHancer and uninstalled them both, and suddenly everything was working again.

Irate was probably the most appropriate word...
posted by Danelope at 11:26 AM on May 7, 2001

after a recent spate of spam, i did a little snooping around to see what i could do about it. some suggestions:

the proxomitron which blocks javascript, including favorites like referrer and email-address sniffers that collect your e-mail address(if browser is set up 'properly') and sniff your referrer cache to see where you have been. additionally, it foils a lot of double-clickery, kills pop-ups, and replaces banner ads with blank images.

this will remove spyware items like comet cursor and others.
posted by donkeysuck at 3:04 PM on May 7, 2001

« Older   |   When soocer dads go bad. Newer »

This thread has been archived and is closed to new comments