Had a customer who had their server infected with worm.sdbot.rj, rbot.fn, agobot.zo, randex.q and another one I can't remember. The combination of all these viruses caused slow performance on the server, dropped network connections, corruption of the IIS metabase and a keylogger trojan installed on the machine.
After a long day talking them through disinfecting the machine I managed to get the server in a fairly clean state and also get a copy of the keylogger log. It makes quite interesting reading what it had logged and when (starting from 21st Sept). UNbelievably it hadn't logged any passwords to the log file, so they were very fortunate in that they hadn't used the server to connect to other machines - most things listed in the log file were pings, ipconfig and traceroutes to diagnose problems caused by the virus being on the machine.
They now have av software on the machine and more importantly a strong password and they are uptodate with all the windows patches.