I can understand the reluctancy to shut off System Restore ( assuming it is ME or XP ) on a customers computer. I have not yet tried deleting specific restore points yet ( never thought of trying it to tell the truth ) but I have seen some maleware which apparently made their own restore files. Unusual thing about them, when System Restore was shut off ( which should to my understanding delete all the existing restore points ) the maleware restore points were still present, but the maleware in the restore point was not picked up when scanning! ( Stupid me, thinking only of how to clean the damn things, never thought to try and find out how they worked. )
AND the restore point would load, even in safe mode!!!!!
( This reminds me of another post I responded too recently, though different maleware. Seems these things keep getting smarter trying to defeat the scanners. )
Just a couple of questions, and I am in no way saying you saw what you say you saw, I am just trying to clarify. First, are you sure that malware was being called from the system restore folder in HJT? The reason I ask is becuase I have been doing malware removal for quite a while, and have never seen this behavior, even with some of the most sophisticated malware. I have done extensive testing, along with a few others, and we have never found a single case where this happens. We have seen malware create directories that 'look' like system restore directories, as well as masquerading as Panda, McAfee, and Sygate though.

Also, HJT does not monitor registry keys having anything to do with system restore, so if anything like that had been showing up in logs, it would have created a bunch of commotion.

It is not unusual for malware to start in safe mode anymore. That only makes it marginally harder to kill, but a pain nevertheless. Self monitoring malware is not all that unusual any more either. And it would neatly explain the behavior you are describing.

Based on my understanding of System Restore, it is only a snapshot of a system at a given time. It is not designed to restore single files. WFP on the other hand does, and has been exploited by Bube, among others.

I'm not saying it can't happen though, just that I have not seen it. Would you happen to remember the infection involved, or by any chance kept a copy of the log?