I do not see anything suspicious on the server (no netstat connections to remote 80 port), but I'm not a professional server admin (I'm a hardcore software developer). Please do not write obvious comments (hire a professional person/company) - we'll consider that after this issue is resolved. Server is running under Windows Server 2008 R2. What tools should I use to analyze this situation?
This is not an exact duplicate of multiple "what should I do if my server is hacked" as I basically need to provide evidence that my server is clean.
Basic security measures were taken since the beginning (windows firewall on, windows update pataches applied, Clamwin up and running).