Weird porn searches showing up in history (NSFW)

Question

A few months ago I went to do a search from the Firefox search page (the default home page) on my computer and one of the previously run searches in the dropdown was for "pee porn." At the time it was a little upsetting as I thought maybe my temporary housemate was responsible, but the dates and times related to the search didn't add up. I looked through the history and could not find any evidence that anything was accessed after the search, nor could I find the search results page for this query in the browser history. Perhaps the history was deleted but I never figured it out, the computer eventually got reformatted and I didn't think about it again.

Fast forward to a few days ago, my daughter and I were playing a game on my wife's laptop when I alt-tabbed out to Firefox to look up something for the game. On the Firefox search page, in the first five entries was a search done for "girl eats own p***y". I shooed my daughter away and looked at what else was on the list; there was "huge c--t porn," "men lick their c-- off girl b------," and possibly others (you get the point).

Assuming these searches are related, this set of fetishes is so diverse and in language that neither of us would ever in a million years use that my first guess was that this is all some kind of SEO attempt. The thing that gets me though is that I can't find any evidence that these searches are ever completed or that anything is accessed as a result. I 10000000% don't believe it's my wife doing this, I didn't do it, and I don't have any kids or visitors who would have done it either.

Virus scans are clean; both affected computers run Adblock Plus and the laptop in question just came back reformatted from the shop in May.

Anybody else have anything like this pop up on home or work computers?

Thanks

edit: I'm starting to get some validation in that I'm not the only one who seems to have this problem. This google thread (http://productforums.google.com/forum/#!category-topic/websearch/unexpected-search-results/dmT4efq3-HY) has a bunch of people complaining about weird searches showing up in their Google History.

Answer 1

There are two things I'd suggest here:

SU malware removal community wiki should be your first port of call.

Nirsoft has a few tools that may be useful in terms of forensics - my last search should help you find searches and when they were done, at least as far as the browser is concerned. He also has tools for looking at cache, cookies and history.If nothing else, if all these happens at wierd hours, you could rule out human involvement, short of a catburgler with an embarrassing porn fetish.

As for prevention, If you're running XP (or even newer windows versions, you may want to consider doing everything as a limited user and have per user accounts. If nothing else this should contain any weirdness to that user.

Answer 2

Do you use Firefox's sync? If so, is it possible you've synced with another computer that someone else had access to? That could definitely account for this behavior. Is it possible that you logged into your google account on someone else's computer (or library, work, school) and left it logged in? I'm not sure if that would cross computers automatically, but if so it could just be searches someone else made before you were logged out.

Answer 3

I'm not sure this can be a virus or rootkit since you have AV installed.

I would install keyloger to check all hits from keyboard. the log will contains dates and time of the hit so it will be much easier to narrow down the time frame and possible cause.

Additionally some firewalls / AVs have a possibility of extended log - you may want to enable this. It might show accessed web pages.

If you are determined and your ISP provides his own DNS server - so you dont have like 8.8.8.8 as DNS entry, you may want to ask your ISP for date and time when the query for this particular domain was sent to DNS server.

you can also install local proxy which will collect all the urls and log them, and direct browser to use this local proxy.