Be sure to firewall your Internet facing boxes, Conficker infected machines keep trying common username and password combination in order to get into a machine. As a side effect this brute force attack can lockout users and slowdown domain authentication on a domain because of many password attempts if the box that is being attacked happens to be connected to a Windows Domain/Active Directory.
One way to detect the source of Conficker or similar malware attacks is to enable Security Audting on the Windows Servers. Infected machines try hundreds of password combination per minute on machines that they can find over the network. The only way to identify such machines to run EventCombMT on all the suspect servers.
EventCombMT is a multithreaded tool that you can use to search the event logs of several different computers (not just DCs, as we discovered later) for specific events, all from one central location. EventCombMT is part of Account Lock Tools (ALTools) from Microsoft.
