How did it get in? Several possibilities:
- If you're running an Internet-facing service (you mention a mail server), then it could be using some sort of known exploit against that.
- You could have been hit by a "drive by download" sort of attack, where you visited a web page that exploited a hole in your browser. This is particularly pernicious with web advertising, which allows attackers to buy ads and then ship their malware through those ads. Ad blockers are actually a serious security mechanism these days.
- You could have gotten a malicious attachment of some sort which then exploited some native app (Adobe Reader, Microsoft Word, etc.). Your IMAP client might also have been the vector for the exploit.
So how do you decide how the attack got in? That's hard to say. You could try to figure out *when* it arrived, then go through your logs to see if it was a mail attachment or whatnot.
How do you clean it up? "Nuke it from orbit. It's the only way to be sure." Seriously, modern rootkits, once they get into your machine, are very good at covering their tracks. You're lucky you saw this at all. Take the drive out, reformat from a trusted machine, and rebuild everything from scratch. Even then, "firmware malware" is totally a thing, i.e., malware that rewrites your BIOS and other low-level crap to reinstall the infection on an otherwise-clean operating system. Hard to say whether you've got that or not.
How do you keep it from coming back? You didn't say exactly which version of Windows and all your other tools that you're running, but needless to say, there's a benefit to keeping all of those up to date. Also, you might seriously consider ditching IIS and going with something else, or even pushing that functionality somewhere besides your personal machine. Maybe run it in a VM to isolate it.