Cisco, Certicom, RSA, McAffee (via RSA), Juniper, Blackberry/RIM, OpenPeak, OpenSSL, Samsung, Symantec, Riverbed, Cummings Engineering, CoCo Communications, Kony, Lancope (via RSA), Mocana, Safenet, SafeLogic, Panzura, Microsoft, Thales e-Security, Catbird, ARX all list Dual_EC_DRBG as at least supported.
Of these, RSA (and presumably the others based on their, like McAffee and Lancope), Thales e-Security, and possibly Microsoft (Windows Server 2008 R2 lists only Dual_EC_DRBG, though its possible that that's just their only FIPS compliant one and they use some non-standard algorithm by default) seem to use Dual_EC_DRBG by default or as the only option. I haven't tried finding documentation on all of these to see if they say what their default algorithm is, so it may be more.
edit to add: Found this discussion on the OpenSSL users list, about why they added it. Apparently it was because a paying customer requested it, thought the customer is not named for confidentiality reasons. OpenSSL doesn't appear to enable the NIST/FIPS random number generators unless you compile it in FIPS mode (at least, as far as I can tell from a quick, their build system is a bit weird, and FIPS mode is even stranger):