how many windows boxes do you know that have a "root" account?

Again, looks like worm or bot activity. Any way to spot the source address of the host sending these requests in? I mean, the domain controller running netmon can capture this information very easily. That is, if it still is happening.