Just a couple of questions, and I am in no way saying you saw what you say you saw, I am just trying to clarify. First, are you sure that malware was being called from the system restore folder in HJT? The reason I ask is becuase I have been doing malware removal for quite a while, and have never seen this behavior, even with some of the most sophisticated malware. I have done extensive testing, along with a few others, and we have never found a single case where this happens. We have seen malware create directories that 'look' like system restore directories, as well as masquerading as Panda, McAfee, and Sygate though.
I can understand the reluctancy to shut off System Restore ( assuming it is ME or XP ) on a customerís computer. I have not yet tried deleting specific restore points yet ( never thought of trying it to tell the truth ) but I have seen some maleware which apparently made their own restore files. Unusual thing about them, when System Restore was shut off ( which should to my understanding delete all the existing restore points ) the maleware restore points were still present, but the maleware in the restore point was not picked up when scanning! ( Stupid me, thinking only of how to clean the damn things, never thought to try and find out how they worked. )
AND the restore point would load, even in safe mode!!!!!
( This reminds me of another post I responded too recently, though different maleware. Seems these things keep getting smarter trying to defeat the scanners. )