Your generous donations help keep this site online! Click here to support
Advertising Spyware: NewsUpd.exe

NewsUpd.exe is a spyware program that is silently installed when installing certain Creative Labs hardware, including the SoundBlaster (tm) 16. This program is not disclosed in the License Agreement or mentioned in the relevant documentation.

This really burns me up. This isn't some sleazy shareware application downloaded from God-knows-where, but legitimately purchased hardware from a legitimate-looking company, that is installing advertising spyware along with its hardware drivers!! This is a clear betrayal of user trust. (Ed. note: I discovered this particular piece of spyware when installing a Creative Labs SB16 on my OWN system, so I am quite obviously angered. The heads-up came when Zone Alarm alerted me that an unknown application newsupd.exe was trying to access the Internet. Creative has yet to make good on my request for a refund on my advertising-subsidized hardware purchase.)

Infection method
When the Creative drivers are installed using the provided set-up utility, the NewsUpd.exe program is written to disk and installed in the Registry's Run key with the /q parameter. This parameter instructs the software to automatically and silently perform its unwelcome functions without making its presence known to the user. If the spyware program is run without the /q parameter, it displays a message indicating that its purpose is to periodically "retrieve the latest news", and asks whether you would like to run it on start-up. The program even identifies itself as "News Update" utility, but analysis of its file accesses and network connections makes clear that it is in fact an advertisement download and tracking technology with a comprehensive reporting system. The implication that it performs a useful news function appears to be a disingenuous attempt to fib about the program's true purpose. Also suspicious are the fact that the spyware stores its plaintext configuration files as .SYS (system) files (perhaps in an attempt to scare users away from deleting them?). The spyware appears to be activated by Creative LAVA and the Creative Playcenter application, which is installed as the default audio player. (Ed. Note: Delete Creative PlayCenter and install Winamp as your audio player -- you'll thank me later :)

The spyware components are not mentioned in the License Agreement presented with the software install and registration nag. The only possible "disclosure" is a section of the License which states:

Creative does not warrant that the functions contained in the Software will meet your requirements or that the operation of the Software will be uninterrupted, error-free or free from malicious code. For purposes of this paragraph, "malicious code" means any program code designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network, including viruses, Trojan horses, droppers, worms, logic bombs, and the like.

The program downloads "news" (advertisements) from, a dedicated ad server.

Manual Removal Procedure

Always try the easy stuff first. I am told that NewsUpd directory has an uninstall script already in it. Greg writes:

There is a standard InstallShield setup log file in the main creative news folder. You can manually initiate a clean uninstall by typing
C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\News\CTNews.isu"
It still leaves some empty folders, but this is probably the easiest and safest way to get rid of the spyware.
The path to the .isu file in the line above may need to be changed depending on where NewsUpd installed to.

You can also delete the program manually, by following the steps below:

Delete the directory containing NewsUpd.exe (usually C:\Program Files\Creative\News\) and any sub-directories.
Delete C:\Windows\ctnews.ini if it exists.
Delete C:\Windows\ctnet.ini if it exists.
Remove the Registry Run key for NewsUpd.exe under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]

Dick, a Creative user, writes in the following:
I am a little lazy when it comes to searching in Windows, so I only entered "adv" when looking for something relating to NewsUpd.exe, and came across a folder that you don't mention, that I do believe is tied into this program.  It is called "Advertise", and it contains what appears to be a list of types of sites, and ads, that I've viewed.  The
full path to it, on my machine is:  "C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\Custom\United States\Advertise\".

For your perusal are also the files contained in this directory.

This may be from an updated (or entirely new!) version of Creative Labs spyware, but the unmistakable AdvServ.sys and similar files indicate beyond reasonable doubts, they are indeed files of some NewsUpd.exe variant. The URL lines in AdvServ.sys and Default.sys point to At the time of this writing (21-Jun-2001), accessing the home page returns this document (containing "f*ck CHINA Government, f*ck PoizonBOx"), apparently resulting from infection by the sadmind/IIS worm. The worm uses a recently-discovered buffer overflow exploit to take over (root) the server. (Does newsupd.exe have auto-update functions? If the server running it has been compromised, what might this server hold in store for hapless users' newsupd.exe connecting to it...)

On Dell systems, Creative's spyware file is named UPDTRAY.EXE.

FileMonitor log for NewsUpd.exe - I found the reading/writing of IE cache files particularly disturbing...I hope this is a natural phenomenon related to NewsUpd possibly using IE libraries to download and display ads, and nothing less above-board :-(

Digging up setup instructions on my new "SpyBlaster 16" under Linux, I came across reports that this card is intentionally crippled to prevent it from competing with SB's more expensive offerings. The SB16 PCI, based on the ES1373 audio chip, sports such hidden features as AC-3 digital audio (cleverly 'hidden' on the left analogue output).
See this page documenting the 'hidden' digital output on SB16 PCI (also known as a Creative Labs AudioPCI), and select the Ensoniq AudioPCI driver from the Creative drivers page for an un-crippled SB16 PCI driver. Screenshot

While on this subject, it seems that there is a card out called SB PCI512 (EMU10k chip), that is really a SB Live! 1024 without the Live!Ware software.

Up One Level (Adware/Spyware)
HomeE-mailCopyrights and Disclaimers