Thanks for that. I am wrong often. My wife points this out to me with astounding frequency. Next time I think a security product failed, I will copy the logs and ask more questions. Lesson learned. Looking at the logs from the AV I installed, there were 151 detections on the first workstation, 186 on the second. This after cleaning both with AdwCleaner, JRT and a set of standalone removers. The first workstation had more like 300 total detections including the pre-scan cleaners. Nothing found pre-scanning the second one as nothing was active, it was all in the old Windows install. Most of the detections were Conduit/CrossRider/Yontoo/InstallIQ type stuff on both, but a few were significant. I removed an active Theola.F/Mebroot plugin from Chrome on the first workstation before running the scans. Chrome went, too. The second had remote control software, phony Flash player installers and a bunch of Java exploits along with numerous outdated JRE installs in the old Windows folder. I can't believe the previous "tech" pulled the astonishingly stupid stunt of cloning a thoroughly infected install, not scanning it for malware, copying it to a desktop folder, then telling the customer to "move whatever you need, then delete it". He even changed the folder icon to his own logo. All righty then. Back to regularly scheduled programming. Thanks again.