While debugging my web application in Fiddler, I found out that there are some suspicious requests to some hotel sites, search requests to google.pl. etc. See below images. Strangely there no process displayed in Fiddler.
It's definitely a virus. I don't know how to find out which software or process is causing it. Any help to further analyze and secure my system is highly appreciated.
You won't see a process if the request is not from the local machine, I.E., if you are allowing other machines to proxy via Fiddler. Check the Tools | Telerik Fiddler Options menu, and on the Connections tab, see if "Allow remote computers to connect" option is checked. If it is, this is likely where these requests are coming from, and why you can't identify the process they're associated with.
I would suggest Sysinternals: https://technet.microsoft.com/en-us/sysinternals/default.aspx.
These tools are good to have in your toolkit when investigating odd behavior:
TCPView will show you open connections and let you force close connections.
This program shows you programs that are set to start on boot and will let you remove them from autostarting. Windows has a number of places that programs can get injected to autostart.
These programs allow you to view running processes, ownership information, open files and open ports, dump memory owned by the process, and let you kill these programs.
Microsoft's TCPView will show the link between processes and network connections:
You can try:
netstat -abn
Which will show the process, if available.
You can also try:
netstat -aon
Which will show the PID which you can then lookup in the task manager.
However, it may not show up in either of those places depending upon how stealthy it is. If it doesn't show up there are techniques to use things like Logman logging Winsock activity, but it gets a little complicated from there.
