I have a client who became infected with CryptoWall 3.0, but it newer started encrypting files.
It was stopped as they was asked for Admin user + pwd to start the VSSadmin comandline interface.
There was no files left named HELP_DECRYPT.txt / .html / .png in any folder (all folders has been scanned) as i have seen it on another case.
I have collected the source file, registry entries made with unique machineID and other stuff.
Would you be interested in these files ?
I have removed the thread and the user has been given a new TS user profile.