Kaspersky found out some strange thing: Program Files\Creative\SBAudigy\Program\ADGJDet.exe Infected: Trojan-Downloader.Win32.Bagle.jo . Little googling told that it was perfectly legitimate file but Jotti's side told me opposite. So I deleted it.
I thought I was clean. Addditionaly I deleted manually keys related to srosa (megadrv3 or something) but some keys disseapeared by themselves.
"drvsyskit"="C:\WINDOWS\system32\drivers\hldrrr.exe" [2006-05-10 01:05]
"german.exe"="C:\WINDOWS\system32\wintems.exe" [2008-02-11 07:15]
Two later keys didn't appear anymore :D
The proccesor usage was about 0-1%.
I was finally able to install Hijackthis and save combofix.
Run kaspersky online scanner once again (4hours) and I found that I'm still dirty. hldrr and wintems still existed.System restore turned on by itself and there was .Trojan-Downloader.Win32.Bagle.jo in System Information Volume. But this time I was able to delete them in normal mode (??)
Once again I wasn't able to boot into Safe mode. I fixed registry again and run ComboFix. Now I am able to go into safe mode.
I don't understand combofix log file :D . So I'm here.
I apologise for my poor style but I had little sleep for last three days trying to fix the mess.
I didn't write everything I did step by step - I ran hijack this (only when I saved it under changed name I was able to run it for the first time), deckard system scanner, silent runner,gmer couple of times. I don't know if srosa/wintems infection was only a consequence of first infection or the main infection. I am posting two of my hijackthis logs: the first one and the last one, combofix log, dss logs. I'm not sure if I want to post Kaspersky log's - they contain some private informations, so I can send them to helper but I don't want them to be seen by everybody.