PrimeLookup is a Chrome extension that may unexpectedly appear among your browser’s add-ons, causing your search queries to be redirected. As a browser hijacker, it poses a subtle threat to anyone who continues using the affected system. Removing this unwanted extension isn’t easy, so in this post, I’ll explain its origins and guide you through the removal process.
Overview
The PrimeLookup Extension is a type of malware designed to take over your web browser, altering its behavior to suit the preferences of its creators. In this case, all search queries are redirected to malicious search engines like boyu.com.tr and Potterfun.com.
To further complicate user removal efforts, the PrimeLookup extension exploits a remote management feature in Google Chrome and Chromium browsers known as “Managed by your organization”. Once PrimeLookup is installed, this message appears in your browser settings, rendering any attempts to change settings or remove the extension ineffective.
Over the last couple of months, search hijacker-type rogue extensions have become prevalent. This hijacker falls into this category by all the parameters. They route user searches to a different search engine, the one controlled by fraudulent actors. This can end up with quite worrying consequences, especially when the user pays no attention to where they click.
How does it work?
Like a SwiftSeek Extension or ZoomFind Extension, a PrimeLookup falls into the category of search hijacker plugin. Key elements of its activity are about intercepting all the search queries made by the user and routing them through malicious search systems. With this specific plugin, Potterfun.com is the final destination, though this may change in other similar rogue extensions. In the process of redirection, however, an intermediary website shows up, where additional query parameters are added. This is what leads to the main danger of the attack scheme.
When the user types their search query, instead of Google (or the search engine of their choice) they see the results of Potterfun.com, additionally infused with search ads. And this is the major point of concern: these ads contain a lot of phishing pages and scams. Not like Google or Bing contain 100% safe promotions, but in these cases, dangerous results are meant to be here. Following them (which may easily happen for users who don’t understand what is happening) will certainly lead to credentials leak, money loss, or even malware injection.
Spreading Ways
In the majority of cases, users get infected with PrimeLookup through fraudulent software sharing/downloading websites. They can offer unwanted extensions under the guise of a desired program, a game mod, or sometimes even a film. Unsuspecting folks click the downloaded file and in fact, install the malicious extension.
Sometimes users may see not a file-sharing site, but a fake bot protection page, that requires one to confirm they’re a human by installing the “security browser plugin”. The outcome may be different, as quite a lot of other viruses use the same scheme. We have a special article regarding these fake human verifications – consider checking that out.
Despite generally aiming at fraudulent spreading ways, it was available from the Chrome Web Store for a short period of time. It is likely done to legitimize the extension: users won’t see the warning in the Extension tab, and will find it through search in the Web Store. Nonetheless, it is not even remotely safe, as I’ve proven above.
How to Remove PrimeLookup?
There are two options for removing PrimeLookup, an automated approach and a manual one. I recommend sticking to automated, as it will eliminate the malicious extension and all other unwanted elements. Still, you can try undoing the extension manually, even though it is time consuming and requires certain amount of PC skill.
Using Anti-Malware
To get rid of the PrimeLookup extension automatically, run a Full scan with GridinSoft Anti-Malware. This will take about 15 minutes, and will remove the malware even from the most remote parts of the system.
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.
Manual Removal Steps
To delete PrimeLookup manually, you will need to undo the changes it has made to the system. This involves going through the system registry, and also Group Policies list. Please, follow these steps thoroughly, so nothing will restrict you from deleting the pesky extension.
Step 1. Group Policies Removal
First step in dealing with Managed by your organization is to remove policies that the malware changes to enable this state. This method does not require having access to Group Policies Editor, which is unavailable for non-Pro editions of Windows. All you have to do is find and remove all the folders listed below. Note: their deletion will require administrator privileges.
\System32\GroupPolicy
\System32\GroupPolicyUsers
\Program Files(x86)\Google\Policies
\Program Files\Google\Policies
Step 2. Removing Registry Keys
Next step is going through the registry keys that may contain malicious configurations. Press the Win+R combination, and type “regedit” in the search window. This will get you to the Registry Editor; there, find and delete the keys you see below.
HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome
HKLM\Software\Policies\Google\Update
HKLM\Software\Policies\Chromium
HKLM\Software\Google\Chrome
HKLM\Software\WOW6432Node\Google\Enrollment
HKCU\Software\Policies\Google\Chrome
HKCU\Software\Policies\Chromium
HKCU\Software\Google\Chrome
Not all keys may be present, as it depends on installed software, browser configurations, malware that did the changes and other things. Nonetheless, you should delete all the keys you can find.
Once done, reboot your computer to apply the changes. Then, you should be able to edit any of the Chrome settings and remove any browser extensions that may have previously been blocked from editing.
