If you use Google and stay logged in, you can turn on search history, and then use the google search history to see when those searches were made. And introduce your roommate to Google Chrome and ctrl+shift+n – jcolebrand – 2012-07-26T20:57:02.877

If he determines there's malware causing this, I'd vote against using any malware removal tools. Given the symptoms, there would be at least a rootkit involved here, and malware travels in packs. It'd be easy to remove the obvious symptoms and unknowingly leave behind a more nefarious keylogger designed to steal credit card, bank passwords, or the like. – Joel Coehoorn – 2012-07-27T13:53:49.527

Oh yes, If his system is compromised to hell, reformatting is a very good idea. I still think checking for malware would be the first thing to do, before deciding on a course of action – Journeyman Geek – 2012-07-27T14:28:43.767

I've activated Google history on both our accounts just to see if I can drill down on any future occurrences.

It is my understanding that reformatting does not always eliminate rootkits. Is this true? – jstar – 2012-07-27T15:33:30.337

Oh, and I fired up MyLastSearch and it cannot find any evidence of these searches, even with the Google Instant exclusion disabled. These queries were entered but like my first experience with it there is no residual evidence... – jstar – 2012-07-27T15:34:47.030

I checked; sync is not enabled. – jstar – 2012-07-27T15:33:42.180

5"I'm not sure this can be a virus or rootkit since you have AV installed." - A popular misconception. Having said that, Occam's Razor in this case would point to someone actually doing those searches. – EBGreen – 2012-07-26T14:25:15.650

i've heard of worms that block certain DNS queries or drops connections to certain sites. I've never heard of a worm that will search nasty things by using ones browser. What would be the benefit? Malware usually access the url directly - no need to search for the page as it might raise an unnecessary alarm. – mnmnc – 2012-07-26T14:29:02.493

1Viruses often have no real benefit for the writer these days. They are written simply to show that they can be. – EBGreen – 2012-07-26T14:30:41.527

2@EBGreen: Quite the opposite. Gone are the olden days when people wrote viruses to show off; most malware these days aims for commercial gain - be it ad popups, clickjacking, identity theft, ransom, corporate espionage or something else. Perhaps those searches might have been inserted by malware trying to promote some shady site? – Piskvor left the building – 2012-07-26T14:55:12.993

2Either way, stating that it is unlikely to be a virus just because AV is installed is faulty logic in my experience. Having said that, in my opinion, I would rank virus below the likelihood of someone actually doing those searches. – EBGreen – 2012-07-26T15:00:51.237

@EBGreen - Which is the exact reason this answer should be voted down. Having security software only tells you one thing, your not infected with known infections, which is the simplest to solve. – Ramhound – 2012-07-26T15:16:56.040

@EBGreen I'd love to hear the logic behind your reasoning that someone did the search. I can't imagine someone coming in and executing a group of searches like that in a row but never going to a website referred to by any of the searches--I'm trying to imagine a scenario, perhaps you could explain yours. I'd think that if you were to look for the simplest answer--well I'd have to bypass that one. – Bill K – 2012-07-27T15:58:26.260

So if I understand the situation, you are saying that the search terms are cached in the firefox start page which is actually google. In other words, they pop up in the search box when you start typing in search. However when you look at the browser history, you do not see any pages being opened that match the sort of things that you would expect the search to return. To me this sounds like someone that knows how to open the history and delete pages out of it. – EBGreen – 2012-07-27T16:18:43.817

Basically my logic is that there is not much reason for doing the searches unless you plan to do something with the result. So given that as a premise, I would take the next step that something was actually done with the result. This means that if it were a virus, the virus is also cleaning up the history after itself. If it were actually being done by a person, they are cleaning up the history after themselves. I just think it to be more likely that a person would care more about cleaning up the history than a virus. – EBGreen – 2012-07-27T16:21:27.120

I will add that if it were a virus,and that the purpose of the virus were to promote porn sites, I would expect the virus to already know the sites that it wanted to promote and not to be doing a web site for types of sites. – EBGreen – 2012-07-27T16:22:41.673

Here's the kicker as to why I think it's a virus or script and not human intervention-- the "pee porn" result I found months ago through Google History put the time and date of access at a time that my wife and I were verifiably both sitting side-by-side at our computers, most assuredly not searching for porn. This is absolutely incontrovertible fact. Fast forward to now when I'm seeing equally odd searches coming up on HER computer. I thought as well that someone is picking clean the history but it really doesn't add up; I would have found SOMETHING residual by now. – jstar – 2012-07-27T16:32:49.257

As to why this stuff is just being searched for and not accessed, I don't know, but my speculation is that the virus writer wants to check to see if their client site is prominently ranked when a user searches for particular keywords. – jstar – 2012-07-27T16:35:05.137

They could do that much easier from their own browser. – EBGreen – 2012-07-27T18:05:14.090

Either way, further discussion especially of speculation like this should probably be in chat. – EBGreen – 2012-07-27T18:07:42.883