uniisales chrome extension

Every time I restart my computer and I open up chrome I see it has the UniisaleS chrome extension.  I can remove it manually but it comes back after each restart.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

web_trackerComputer Service TechnicianCommented:
it could be malware that is reinstalling the chrome extension use tools like: JRT (junkremoval tool) http://www.bleepingcomputer.com/download/junkware-removal-tool/ and AdwCleaner http://www.bleepingcomputer.com/download/adwcleaner/ 
one or both tools should remove the unwanted malware.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For such PUP (potentially unwanted program) which include unisales as adware , below are some suggestions,

A) AdwCleaner is also recommended. It should surface this adware as "Win32/BHOUninstaller.AA potentially unwanted application".

Also I suggest Malwarebytes Anti-Malware Free or HitmanPro scan to be thorough @ http://malwaretips.com/blogs/ads-by-unisales-removal/

B) Google also came out with Software removal tool that can scan your computer for unwanted and suspicious programs - Remove software that affects Chrome @ https://www.google.com/chrome/srt/

C) Was initially wanting to check the global extension list in registry but seems like unisales extension (.crx) can come in variant and e.g. include it can be in Path e.g. one of it is
uunisales -
CHR Extension: (uunisales) - C:\ProgramData\ejgnfgbcnlcpocghhialoalfflkkkbjp\ []
C:\Program Files (x86)\uunisales

uniisalues -
C:\Program Files (x86)\uniisalues

Chrome global Extension list ref @ http://www.howtogeek.com/140464/how-to-manually-uninstall-a-globally-installed-chrome-extension/

D) If lastly all these doesnt help then I suggest resetting Chrome browser to its default settings.

But will be good to start fresh overall for Chrome if possible...
jackjohnson44Author Commented:
Hi guys,
I tried the above, but it didn't seem to help.

http://www.bleepingcomputer.com/download/adwcleaner/  poped up a security screen from windows, I accepted then nothing happened.

I tried the unisales instructions, but I didn't have the registry values.

I looked for those files in c:\ProgramData\... but I didn't have that folder.

I did have another folder though with a webpage and some js files.  In the html it just has some js references.  In the js references there is some really strange code that I can't read.  I moved this folder to my desktop and the problem went away on my next reboot.

Check out the attached zip.  It's only js and html.  I wouldn't open the html, but any idea what's going on in the js?

In the manifest.json file, there is a reference to unnisales

  "name": "uniisaleS",
  "version": "2.0",
  "description": "",
  "manifest_version": 2,
  "background": {"page": "background.html"},
  "content_scripts": [
		"all_frames": true,
		"matches": ["http://*/*","https://*/*"],
		"js": ["content.js"],
  "permissions": [

Open in new window

I guess this was doing it.

What is the deal with AppData?  What is telling Chrome to run this file?
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

jackjohnson44Author Commented:
here are the files
web_trackerComputer Service TechnicianCommented:
if you tried to get a security screen when you went to http://www.bleepingcomputer.com/download/adwcleaner/ to download adwcleaner it may have been possible you clicked on the wrong link. Now adays there is so much advertising for other products on the website it is very difficult some times to know when link is the link that contains the software you want to download. They seem to do their best to try to get you to click on the paid advertising links. If you click on the link Download now @ Bleeping computer you should be able to download and run adwcleaner, the same thing for The Junk removal tool (JRT).
btanExec ConsultantCommented:
unisales and appdata can be random and I suspect this is a variant, and it seems not to be a same unisales that we have discuss so far. The pasted content is from manifest.json, rightfully still found in "ProgramData" with random subfolder name. It is known to flagged as Google chrome extension and it reference a "content.js" which commonly reference by PUP in chrome extension and it includes uniiiSales variant (other named PUP such as "AllChheapPrice", "SaaffErwEB", "ProicceLess" ...). See @ https://www.herdprotect.com/content.js-e02fa0e42bff87f9aecd6bf1270c28de66ddc24d.aspx

one instance the uniiiSales 's manifest.json can be found in e.g.
C:\ProgramData\application data\<random alpha char>\manifest.json
What is it ?
This is the Google Chrome manifest for the extension named 'uniiiSales' and contains the URLs that the app uses, including the launch page, background pages, icons and images and permissions for the app. This extension is not distributed through the Chrome Web Store and is typcially installed by a third party installer. The web browser extension is distributed through WebPick's InstallRex platform and is designed to inject advertising offers in the browser including banners and coupons based on the context of the underlying website - Read more at https://www.herdprotect.com/manifest.json-4b9e93fa0838647e9c68233f054faccfef44ae37.aspx
SO if we scan for manifest.json or content.js...and remove those with mention on the PUP esp the uniiSales (and its variants), it can remove it from running in the Chrome browser.

Specifically the content script as shared in below injects into, in this case, every web pages (["http://*/*","https://*/*"]) in the chrome browser.
content script @https://developer.chrome.com/extensions/content_scripts
manifest @ https://developer.chrome.com/extensions/manifest
jackjohnson44Author Commented:
web_trackerComputer Service TechnicianCommented:
I was happy to help, thanks for awarding me points for my solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.