I think he installed after the infection. Just my read. My issue now, is I don't think the new one is clean-able. The new version of Cryptowall (3.0) is it also uses Win32:Sality (or a modified version of that) and the REN command to rename the Executables. Once that is done, it'll inject the Source Malicious code, and once you run (What you think is your personal Documents), it'll just reinfect your system. Hopefully this ins't the case. If it is, well, sadly, a full reformat might be needed.