I worked at a big name university in the IT department for housing and dining. Long before I got there, one of the Oracle database servers for meal-related activities had been pwned for years because it hadn't been behind a firewall and it had a routed public IP address. It was running Windows so it had accumulated a number of interesting malware including obscure rootkits with no antivirus patterns. I once booted it up off of clean media, ran some forensics tools and found a warez dumpsite on it. This box "couldn't be down" so all the happened to it was it was place behind a bidirectionally-restricted firewall. It still kept limping along with funky malware because they didn't want to spend time or money fixing it. Sigh. If it were my box, it would've been an immediate disconnection, image hardening, wipe and reinstall from backups (data-only).

I remember sending some binaries and other deets over to Mark Russinovich at then SysInternals, who's now the CTO of Azure.