Just over two weeks ago, a client of mine had a Cryptowall 3.0 infection, starting from a workstation. It was quickly contained, and we restored from backup, and all is well now. One residual side effect caught me completely off guard, however.
Every Windows workstation on the domain began having the help_decrypt files launch at startup. We found those files in the startup folders on the local C drives of the workstations, as well as in many other folders on C. No files on any of those computers were encrypted, however.
I have never seen nor heard of a crypto variant showing this behavior. Did it find the C$ shares on the network?