NewsUpd.exe is a spyware program that is silently installed when installing certain Creative Labs hardware, including the SoundBlaster (tm) 16. This program is not disclosed in the License Agreement or mentioned in the relevant documentation.
This really burns me up.
This isn't some sleazy shareware application downloaded from God-knows-where,
but legitimately purchased hardware from a legitimate-looking company,
that is installing advertising spyware along with its hardware drivers!!
This is a clear betrayal of user trust. (Ed. note: I discovered this particular
piece of spyware when installing a Creative Labs SB16 on my OWN system,
so I am quite obviously angered. The heads-up came when Zone Alarm alerted
me that an unknown application newsupd.exe was trying to access the Internet.
Creative has yet to make good on my request
for a refund on my advertising-subsidized hardware purchase.)
When the Creative drivers are installed using the provided set-up utility, the NewsUpd.exe program is written to disk and installed in the Registry's Run key with the /q parameter. This parameter instructs the software to automatically and silently perform its unwelcome functions without making its presence known to the user. If the spyware program is run without the /q parameter, it displays a message indicating that its purpose is to periodically "retrieve the latest news", and asks whether you would like to run it on start-up. The program even identifies itself as "News Update" utility, but analysis of its file accesses and network connections makes clear that it is in fact an advertisement download and tracking technology with a comprehensive
system. The implication that it performs a useful news function appears
to be a disingenuous attempt to fib about the program's true purpose. Also
suspicious are the fact that the spyware stores its plaintext configuration
files as .SYS (system) files (perhaps in an attempt to scare users away
from deleting them?). The spyware appears to be activated by Creative LAVA
and the Creative Playcenter application, which is installed as the default
audio player. (Ed. Note: Delete Creative PlayCenter and install Winamp
as your audio player -- you'll thank me later :)
The spyware components are not mentioned in the License Agreement presented with the software install and registration nag. The only possible "disclosure" is a section of the License which states:
Creative does not warrant that the functions contained in the Software will meet your requirements or that the operation of the Software will be uninterrupted, error-free or free from malicious code. For purposes of this paragraph, "malicious code" means any program code designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network, including viruses, Trojan horses, droppers, worms, logic bombs, and the like.
The program downloads "news" (advertisements) from
a dedicated ad server.
Manual Removal Procedure
Always try the easy stuff first. I am told that NewsUpd directory has an uninstall script already in it. Greg writes:
There is a standard InstallShield setup log file in the main creative news folder. You can manually initiate a clean uninstall by typingThe path to the .isu file in the line above may need to be changed depending on where NewsUpd installed to.
C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\News\CTNews.isu"
It still leaves some empty folders, but this is probably the easiest and safest way to get rid of the spyware.
You can also delete the program manually, by following the steps below:
Delete the directory containing NewsUpd.exe (usually C:\Program Files\Creative\News\) and any sub-directories.
Delete C:\Windows\ctnews.ini if it exists.
Delete C:\Windows\ctnet.ini if it exists.
Remove the Registry Run key for NewsUpd.exe under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
Dick, a Creative user, writes in the following:
I am a little lazy when it comes to searching in Windows, so I only entered "adv" when looking for something relating to NewsUpd.exe, and came across a folder that you don't mention, that I do believe is tied into this program. It is called "Advertise", and it contains what appears to be a list of types of sites, and ads, that I've viewed. The
full path to it, on my machine is: "C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\Custom\United States\Advertise\".
For your perusal are also the files contained in this directory.
This may be from an updated
(or entirely new!) version of Creative Labs spyware, but the unmistakable
AdvServ.sys and similar files indicate beyond reasonable doubts, they are
indeed files of some NewsUpd.exe variant. The URL lines in AdvServ.sys
and Default.sys point to
At the time of this writing (21-Jun-2001), accessing the home page returns
document (containing "f*ck CHINA Government, f*ck PoizonBOx"), apparently
resulting from infection by the sadmind/IIS
worm. The worm uses a recently-discovered buffer overflow exploit to
take over (root) the server. (Does newsupd.exe have auto-update functions?
If the server running it has been compromised, what might this server hold
in store for hapless users' newsupd.exe connecting to it...)
On Dell systems, Creative's spyware file is named UPDTRAY.EXE.
FileMonitor log for NewsUpd.exe - I found the reading/writing of IE cache files particularly disturbing...I hope this is a natural phenomenon related to NewsUpd possibly using IE libraries to download and display ads, and nothing less above-board :-(
Digging up setup instructions on my new "SpyBlaster 16" under Linux, I came across reports that this card is intentionally crippled to prevent it from competing with SB's more expensive offerings. The SB16 PCI, based on the ES1373 audio chip, sports such hidden features as AC-3 digital audio (cleverly 'hidden' on the left analogue output).
See this page documenting the 'hidden' digital output on SB16 PCI (also known as a Creative Labs AudioPCI), and select the Ensoniq AudioPCI driver from the
drivers page for an un-crippled SB16 PCI driver. Screenshot
While on this subject, it
seems that there is a card out called SB PCI512 (EMU10k chip), that is
a SB Live! 1024 without the Live!Ware software.