Ok, With Haiko's permission, here goes.
I was thinking about about using my server instead of the user's browser to make the actual http request to an merchant site and return the page to the browser with my cookie. Kind of like cloaking, but a little different, I guess.

It was pointed out that it won't work, because the BHO cookie thief will just activate when the user clicks links on the merchant page that was returned by my server.

Well, now I need to come up with some other ideas. I am relatively new to AM. About eight months and happy with results so far. I'm not new to programming, however, but I've been having trouble finding details on how these thieves work. Without spending a lot of time reverse engineering them I can't come up with defensive measures. It is a facinating subject, and I would appreciate any info, good technical details, that anybody can offer on some of the methods used by parasites. Like where they like to go in the registry? How do they trigger their operations if they are not in the startup group and they have no running process? I've discovered quite a variety of tricks so far, but no consistent pattern that could be used to make a generic defense tool.

BTW, I am a dotNet junkie. Any solution I might design is not likely to be a saleable product. DotNet users probably wouldn't pay for it. They'd more likely do their own. I'd be happy to share anything I can design that works to thwart the thieves.

Thanks for any help.