Yes that's what it usually does. Usually it is the keywords in the name of the url or on the page of the site they go to that triggers the scumware. So like if you send someone to Ebay.com with your affiliate code your affiliate cookie will drop just fine into the visitors browser (as long as they are accepting cookies). The problem is that once they are there the keywords that show they are on ebay's site by there url will cause the scumware to know that and to steal the credit they will pop up either a double window or an invisible pop up. A double window means they will just do a pop up of ebays site in another window on there screen even though they are already there. That way when the new window pops up it has there own affiliate code embedded in it and that overwrites your cookie that just dropped into there browser. Because Ebay, CJ and most of these affiliate programs give credit to the person with the last cookie. Anytime a surfer clicks on or gets a cookie forced on them it overwrites any older ones they might have had. Even if it is 2 seconds later. Doesn't matter. When they do invisible pop ups it does the same thing as the double pop up. Only the user does not see another screen pop up. They see nothing at all. It looks to them like nothing strange has just happened and just like they surfed to the merchants site from yours and that's it. But your cookie was still over-written by the invisible pop up the scumware launched once they got to the merchant site.