uniisales chrome extension

Hi guys,
I tried the above, but it didn't seem to help.

http://www.bleepingcomputer.com/download/adwcleaner/  poped up a security screen from windows, I accepted then nothing happened.

I tried the unisales instructions, but I didn't have the registry values.

I looked for those files in c:\ProgramData\... but I didn't have that folder.

I did have another folder though with a webpage and some js files.  In the html it just has some js references.  In the js references there is some really strange code that I can't read.  I moved this folder to my desktop and the problem went away on my next reboot.

Check out the attached zip.  It's only js and html.  I wouldn't open the html, but any idea what's going on in the js?

In the manifest.json file, there is a reference to unnisales

{
  "name": "uniisaleS",
  "version": "2.0",
  "description": "",
  "manifest_version": 2,
  "background": {"page": "background.html"},
  "content_scripts": [
    {
		"all_frames": true,
		"matches": ["http://*/*","https://*/*"],
		"js": ["content.js"],
		"run_at":"document_end"
    }
  ],
  
  "permissions": [
    "http://*/*",
    "https://*/*",
    "tabs",
    "cookies",
    "management",
    "notifications",
    "contextMenus",
    "management",
    "storage"
  ]
}

Select allOpen in new window

I guess this was doing it.

What is the deal with AppData?  What is telling Chrome to run this file?

here are the files

if you tried to get a security screen when you went to http://www.bleepingcomputer.com/download/adwcleaner/ to download adwcleaner it may have been possible you clicked on the wrong link. Now adays there is so much advertising for other products on the website it is very difficult some times to know when link is the link that contains the software you want to download. They seem to do their best to try to get you to click on the paid advertising links. If you click on the link Download now @ Bleeping computer you should be able to download and run adwcleaner, the same thing for The Junk removal tool (JRT).

unisales and appdata can be random and I suspect this is a variant, and it seems not to be a same unisales that we have discuss so far. The pasted content is from manifest.json, rightfully still found in "ProgramData" with random subfolder name. It is known to flagged as Google chrome extension and it reference a "content.js" which commonly reference by PUP in chrome extension and it includes uniiiSales variant (other named PUP such as "AllChheapPrice", "SaaffErwEB", "ProicceLess" ...). See @ https://www.herdprotect.com/content.js-e02fa0e42bff87f9aecd6bf1270c28de66ddc24d.aspx

one instance the uniiiSales 's manifest.json can be found in e.g.
C:\ProgramData\application data\<random alpha char>\manifest.json
What is it ?

This is the Google Chrome manifest for the extension named 'uniiiSales' and contains the URLs that the app uses, including the launch page, background pages, icons and images and permissions for the app. This extension is not distributed through the Chrome Web Store and is typcially installed by a third party installer. The web browser extension is distributed through WebPick's InstallRex platform and is designed to inject advertising offers in the browser including banners and coupons based on the context of the underlying website - Read more at https://www.herdprotect.com/manifest.json-4b9e93fa0838647e9c68233f054faccfef44ae37.aspx

SO if we scan for manifest.json or content.js...and remove those with mention on the PUP esp the uniiSales (and its variants), it can remove it from running in the Chrome browser.

Specifically the content script as shared in below injects into, in this case, every web pages (["http://*/*","https://*/*"]) in the chrome browser.
content script @https://developer.chrome.com/extensions/content_scripts
manifest @ https://developer.chrome.com/extensions/manifest

Thanks!

I was happy to help, thanks for awarding me points for my solution.