Let me guess; you are using Chrome right?

This is not a virus (note how they are all 10-letter “domains”), this is Chrome testing DNS servers to detect failure-redirection.

What happens is that some ISPs have changed their DNS servers so that when you try to navigate to a URL that does not exist, instead of providing you with a simple error page, instead the ISP provides you with an actual web page that has ads, search results, and other junk—presumably related to the URL/search term that you attempted to go to. (Chrome itself offers this as an option.)

Chrome combines the search bar and the address bar together into the Omnibar and also hides the protocol by default (you don’t have to specifically enter http://; it is assumed). Moreover, a URL doesn’t have to have a TLD, it can be something like http://svn/. Therefore, when you type a word into the Omnibar, it is not obvious whether you are trying to enter a URL or a search term. As such, Chrome needs a way of detecting whether you are performing a search or trying to navigate to a site.

So to avoid having the user frustratingly always see an ISPs error/ad page when they type such terms in the Omnibar, what Chrome does is to try connecting to a few random, nonsense URLs. If they all (magically) resolve, and to the same IP at that, then Chrome knows that the DNS server is redirecting to an error page, and so Chrome can react accordingly (e.g., treat the term as a search query, ask you for alternate, related terms; etc.)

Plus, it also helps to avoid DNS hijacking since in that scenario, most if not all (depending on the hijacking implementation) DNS queries will usually be resolved to the same IP for spying before being passed on (if at all) to the real IP.

Here’s a few places this has been discussed: [1], [2], [3], [4], [5]

A couple of things you can try:

• Charles itself might be logging what application is making those requests (if it sends a user agent string).

  You can search for the User-Agent in the Request tab of the <default> entry:

  

• If the requests occur frequently enough, you can try a connection monitor like CurrPorts.

  Order by Remote Host and refresh until you find an entry matching randomletters:

  

• randomletters isn't a FQDN, so if those requests are made intentionally – rather than some human error like, e.g., pointing to an absolute URL instead of a relative one – the hostname has to get mapped to an IP somehow.

  Try pinging a recent hostname (ping randomletters) to see if it does.

• Check the hosts file (usually C:\Windows\system32\drivers\etc\hosts) for any entries for randomletters.

  If it contains any, you can use Process Monitor to find the application that modifies the hosts file.

  Launch it, press Ctrl + L to open the Filter... dialogue and create a filter that excludes everything that doesn't access the hosts file: