GnuCash Portable 2.2.8 Creates Keylogger??

I really don't want to believe that a keylogger has been purposely programmed into GnuCash, a financial management program, so I don't know if it's been hacked or something???...

To give you an idea, here's what happened:

I tried installing GnuCash Portable on my flash drive on my own computer. Since I don't use my Admin profile unless it's necessary, I was using a profile without Admin rights. I do not have a full non-portable version of GnuCash installed on my machine.

First I ran GnuCash_Portable_2.2.8.paf from my flash drive to install the program into the Portable Apps launcher, and I repeatedly instructed my computer's firewall to "Allow" various (ORANGE-rated) steps of the installation process to continue.

During the setup procedure, I allowed outgoing TCP access to "textreplace.dll" (which was the 3rd action requested and I trusted it), and later also to "gconfd-2.exe" through a second port. (Each of these subsequently used outgoing TCP access a second time via a third and fourth port.)

Towards the end, according to my firewall log, it appears that textreplace.dll then used (or tried to use) C:\WINDOWS\system32\svchost.exe(1304)

Then Local Settings\Temp\nsh1325.tmp\textreplace.dll wants to access hard disk directly using device \Device\Harddisk3\DP(1)0-0+c\PortableApps\GnuCashPortable\libguile-srfi-srfi-13-14-v-1.la

And then Local Settings\Temp\nsh1325.tmp\textreplace.dll wants to access hard disk directly using device \Device\Harddisk3\DP(1)0-0+c\PortableApps\GnuCashPortable\wdmaud.drv

Finally with C:\Documents and Settings\UserName\Local Settings\Temp\nsh1325.tmp\textreplace.dll, I met with a RED alarm window telling me that a KeyLogger was detected, and that textreplace.dll (which had supposedly been in \LocalSettings\Temp\nsh1325.tmp may record my keystrokes. At this time, I finally blocked it.

Not sure what exactly happened here, because when I showed all hidden files and went to my Local Settings Temp folder to find "nsh1235.tmp" to delete textreplace.dll, there was no nsh1235.tmp folder.

I have since removed GnuCash Portable from my Portable Apps and my firewall program is showing that the textreplace.dll keylogger no longer exists on the system.

I did find it interesting however that I had just installed the Portable App launcher and Portable Thunderbird (among other Portable Apps) a day or so before, and that I found a "textreplace.dll" file in a different LocalSettings\Temp\nxxxxxx.tmp folder that also has other system and registry .dll files created and modified at the same time as this second folder's textreplace.dll, but earlier than the date I installed GnuCash. (Since I also found a flashpage jpeg image of Thunderbird Portable in that folder, I'm guessing this nxxxxxx.tmp folder may have been created either as a Thunderbird Portable temp folder or as a shared PortableApps folder in my C drive's temp folder. Not sure which process put it there and what its purpose was/is.)

Yet the keylogger culprit "textreplace.dll" file - the one that triggered the alert later during the GnuCash installation now appears to be gone (since I removed GnuCash), and the nsh1235.tmp folder it was supposedly in was never found on my C system in the first place, (which seemed strange since my firewall flagged it as a keylogger in that folder on my C drive, before I removed GnuCash from the flash drive).

So sorry this is so long. It was rather disturbing so I felt it was at least worth mentioning. I've removed the app, but is this something that needs to be fixed and that we need to be concerned about?

Perhaps someone can explain what exactly textreplace.dll is, it's purpose, and whether it is safe/customary for GnuCash Ptbl, Thunderbird Ptbl, or PortableApps to use it?

God bless.