Sorry- don't use HIPS but,
Have a look at the info here:
and there's a detection tool too.
Also this site here:
We had a bunch of unpatched eval thin clients that got infected with conficker when it came out and we noticed that there was multiple account logons in the security event log (we audit logons). VirusScan blocked and detected the source of it to the thin clients.
Also, we ended up disabling autorun on the domain.
I'm amazed at how many peoples home machines must be infected - still with conficker as we are still detecting it at work.