I do not see anything suspicious on the server (no netstat connections to remote 80 port), but I'm not a professional server admin (I'm a hardcore software developer). Please do not write obvious comments (hire a professional person/company) - we'll consider that after this issue is resolved. Server is running under Windows Server 2008 R2. What tools should I use to analyze this situation?
This is not an exact duplicate of multiple "what should I do if my server is hacked" as I basically need to provide evidence that my server is clean.
Basic security measures were taken since the beginning (windows firewall on, windows update pataches applied, Clamwin up and running).
I'm sorry to say that you are not managing that security incident the right way then.
If there's a fire in your house, are you waiting for it to extinguish itself before calling the fire-fighters?
If you have nobody in staff that can handle that type of incident, then you should get help from external resources that can manage security breach.
Ask your ISP to produce logs showing your server's involvement in the incident (a suspicious traffic graph, for example, generated by data from your ISP's routers or switches). If they can produce such evidence, your system is suspect.
If your machine was in fact involved in a DoS attack and you didn't initiate such action yourself your machine is almost certainly compromised. If your system is compromised the best advice you will get is to blow it away, as in How do I deal with a compromised server? or any of the other questions similar to it.
For determining if your system was hacked, remember that you cannot rely on any tools installed on the system, and that a good attacker will leave no obvious trails (except possibly odd traffic, noted by an external system). If you have any suspicion that your system was compromised, it is still compromised until it is rebuilt with known clean media and software.
Our ex-hosting company gave us a bad IP address when we got a new server. They then turned around and accused us of spamming because the IP address was in a spammer blacklist somewhere on the web. After a lot of wasted time we found that it was actually a previous customer of theirs had done done the spamming from that IP address. Make them prove to you what happened, when it happened, who reported it etc. AFAIK anyone can report an ip address to most of these sites without much proof
You can never be sure your system isn't compromised. You can only implement reasonable security and integrity for your system based on the importance of system uptime, reliability, integrity etc. You can't reasonably be asked to secure your system without the know how.
Just because your server isn't executing a DDoS attack now doesn't mean it hasn't done so earlier, and it certainly doesn't mean that your server isn't hacked.
If the DC has traffic logs showing your server participating in an attack, then that should be all the evidence you need. Getting a copy of the logs might help you to determine what's wrong with your server -- pay particular attention to timing.
This isn't a job for someone with average admin training. Tracking this stuff down can be hard and requires you to use every trick you know and a lot of tricks you don't. You may be looking for a very tiny needle in a very large haystack. Even experienced admins have trouble with this sort of stuff.