Use AutoRuns , it will show all possible types of startup and scheduler tasks, and even highlight suspicious ones in red. And Process Monitor as advised by Stalker_RED (how to work with it is well shown here ).

Demolish the system, put a clean, tested one with closed critical holes. You won't find him if you came here to ask. Although if you really want to try, avz4, SysinternalsSuite will help. And the antivirus can also "play pranks" - it finds itself, heals itself, shows its usefulness.

The utility is called Process Monitor , it can also track calls to the registry.
I strongly recommend using AVZ.

Try checking your computer with Zemana Anti-malware scanner. It usually finds and removes detailed threats.

View computer and user startup

In this case, your antivirus treats the consequences - a binary with a workload. And the dropper either hangs in memory and leaves no traces, or breaks through an unpatched hole in the system from some other machine on the network (or on the Internet). Take the server offline, boot from some liveCD and check the disks, preferably with several tools - AVZ, DrWeb CureIT, something else.
Then you need to start the server in an isolated segment and put down all the updates, and it is highly desirable to release them to the Internet not directly, but through a proxy, logging all requests from the server. After that, watch.

The task may hang in the scheduler. AVZ can read.
Once a day, the task runs and pumps garbage.
I would also delete all unnecessary modules in the profile and clean all temporary folders.
Programs are installed in Program Files, but some useful software like dropbox may have a profile installation. In any case, I don’t think that there are many of them and they can be manually analyzed (to search for files, I use headlights)