RealNetworks Spyware?

So I fire up the computer today and the first thing I get is a message from ZoneAlarm asking “Do you want to allow RealNetworks Dynamic App Launcher to access the Internet? Destination IP:, Filename: RNDAL.EXE Version, this is the program’s first attempt to access the Internet” WTF is this and where did it come from? Is it in any way related to Real Audio (which I already have plenty of reasons to hate)? What should I do? Should I be concerned?

Yeah, I’m sure it is. Its one of the reasons I haven’t installed Real Audio in the past year, nor plan to again in the future…

Answer “no.” Screw Real and their spyware.

That wasn’t meant to be a smiley but rather “Destination IP: DNS”

Who is and what do they want to know about me? I have removed a line from the registry which I assumed was the culprit:

TkBellExe . . . C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

What is this?

BTW, the only thing I changed yesterday is I installed a US Robotics USB ADSL Modem. Would US Robotics install some spyware on my computer?

It supposed to be an automatic update feature so you that Real can check for the latest version of whatever program you are using. I have instructed ZA to never allow Real access to the internet.

Automatic update huh? I guess it is not as bad as it could be but what I don’t understand though is that I do not remember using Real Audio in the last few days and this is the first time I see this … how did it start? what triggered it?

One thing is for sure: I am getting a new computer very soon and Real Audio is not one of the things I will be installing. I have just a few songs in RA and converting them to WAV is a pain but that’s what I’ll be doing.

BTW, a good way to see what’s running on your computer is to run msinfo32.exe and go to software.

I hate RealPlayer. My wife installed that crap on our PC a few weeks ago and I’m considering locking her privledges on the computer.

Chances are RealPlayer was only doing its update check but unless you have a sniffer running and hack the packets you never can really tell what info they’re collecting. Think I’m making that up? Check out this regarding Windows XP Media Player 8. That nice little program sends data on ALL media you play in it to Microsoft. Nice huh?

There really needs to be some laws about this sort of thing. A nice simple law that requires a user to be asked EVERY time a program wants to send data on its own would be good with the option to cancel that send if you wish.

To get rid of spyware, install Ad-Aware and run it periodically to make these problems go away. Another tool for IE users is IE-SpyPad. It adds a blacklist of known spammers and advertising hosts to the list of Restricted Sites. Once added, they cannot run scripts or install cookies. Both are free. I’ve been using them for a long while now with great success in addition to other pop-up killers.

Theres another good one called PestPatrol which I use as well as Ad-Aware, just to be safe.

Gator is the best. When I installed the DivX player, I found that I had to install a program called GAIN (Gator Information Network or something like that) for “Personalised Internet experience”. First thing, Zonealarm discovers a program called “gain_trickler.exe” trying to access the interet. Every time the computer starts. Even if I havent used DivX.
Bah. One quick once-over in the registry and its just a memory

Steve Gibson at has some opinions about Real and their practices:

stockton, thanks for the link which is enlightning (and Real Networks is outrageous)

kingtrw, I recently installed the DivX codec but I did not download the player and now I’m glad I didn’t. To tell the truth I try to restrict myself to installing only the things I absolutely need because of this type of stuff.

evilhanz, those links were very interesting. Thanks. I ran spyad and will look at the other one later. I also updated my Hosts file from here

Whack-a-Mole, I am definitely not installing Real Player again in my life. What they do is outrageous. I’ll also be careful with XP although for now I have no intention of upgrading anything.

Interesting thing about the IP address: It’s owned by some group in Spain. Madrid, Spain, to be exact. It maps to a machine called, which is owned by IBERNET, a telecommunications company (specifically, an ISP) in, as I said, Madrid.

Why Real Networks would be buying bandwidth from Europeans is beyond me. Must be cheap over there.

(All of the information I got I gained from a session with Sam Spade using pretty standard network information-gathering services (reverse DNS and whois). Amazing what a little knowledge will get you.)

(On an even more useless note, a fast traceroute of failed completely. Yeah, I’m a compulsive network nerd. :D)

I certainly don’t think this is anything suspicious, just odd.