Hello,
Check the Following Article from Symantec and Microsoft which answers all your Questions:
1) Best Practice for Downadup.B and Additional information on the same.
https://www-secure.symantec.com/connect/articles/b...
2) Security Response blog: "Downadup: Locking Itself Out"
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/243
3) A good public reference to Active Directory auditing can be found on Technet: "Auditing Policy"
http://technet.microsoft.com/en-us/library/cc779526.aspx
4) Another good Microsoft resource: Account Lockout and Management Tools. There is one tool, ALockout.dll, which can help identify the process which is supplying incorrect credentials. This may be useful in finding suspicious files to submit to Security Response.
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
If your users and computers are members of an Active Directory domain (which is likely in an enterprise environment):
1) Please check the user account's status in Active Directory Users and Computers. The user account may be displayed as locked. Unlocking it from this administrative console is a simple task. Once the user account is unlocked, they should be able to log in to their computer.
2) Attempt to log in as a different user (another valid user account on the domain, or perhaps the administrator).
3) Attempt to log into the local computer rather than using the domain credentials.
In all these cases: as soon as the user has access to the computer, they should download the latest antivirus definitions, isolate the computer from the network and perform a full system scan.