I'm attempting to clean a work computer of a CryptoWall infection for another user. Only the contents of a personal SD card was encrypted, with all files on the machine itself being safe and sound. This does not add up to me. I can't find any trace of the virus itself with a Malwarebytes scan with updated database, and I don't see any file list registry entries consistent with this malware.
My assumption was that the infection occurred at home, encrypting his SD card contents, and then transported to work, where everything is actually fine. I mentioned this to him, but he insists the SD card has been in the machine for a very long time. The encrypted files all have a modified date of 9/22/14.
Are there other steps I should take to root out this virus before declaring the machine clean?