You are here

GnuCash Portable 2.2.8 Creates Keylogger??

3 posts / 0 new
Last post
Last seen: 11 years 7 months ago
Joined: 2009-07-20 20:33
GnuCash Portable 2.2.8 Creates Keylogger??

I really don't want to believe that a keylogger has been purposely programmed into GnuCash, a financial management program, so I don't know if it's been hacked or something???...

To give you an idea, here's what happened:

I tried installing GnuCash Portable on my flash drive on my own computer. Since I don't use my Admin profile unless it's necessary, I was using a profile without Admin rights. I do not have a full non-portable version of GnuCash installed on my machine.

First I ran GnuCash_Portable_2.2.8.paf from my flash drive to install the program into the Portable Apps launcher, and I repeatedly instructed my computer's firewall to "Allow" various (ORANGE-rated) steps of the installation process to continue.

During the setup procedure, I allowed outgoing TCP access to "textreplace.dll" (which was the 3rd action requested and I trusted it), and later also to "gconfd-2.exe" through a second port. (Each of these subsequently used outgoing TCP access a second time via a third and fourth port.)

Towards the end, according to my firewall log, it appears that textreplace.dll then used (or tried to use) C:\WINDOWS\system32\svchost.exe(1304)

Then Local Settings\Temp\nsh1325.tmp\textreplace.dll wants to access hard disk directly using device \Device\Harddisk3\DP(1)0-0+c\PortableApps\GnuCashPortable\

And then Local Settings\Temp\nsh1325.tmp\textreplace.dll wants to access hard disk directly using device \Device\Harddisk3\DP(1)0-0+c\PortableApps\GnuCashPortable\wdmaud.drv

Finally with C:\Documents and Settings\UserName\Local Settings\Temp\nsh1325.tmp\textreplace.dll, I met with a RED alarm window telling me that a KeyLogger was detected, and that textreplace.dll (which had supposedly been in \LocalSettings\Temp\nsh1325.tmp may record my keystrokes. At this time, I finally blocked it.

Not sure what exactly happened here, because when I showed all hidden files and went to my Local Settings Temp folder to find "nsh1235.tmp" to delete textreplace.dll, there was no nsh1235.tmp folder.

I have since removed GnuCash Portable from my Portable Apps and my firewall program is showing that the textreplace.dll keylogger no longer exists on the system.

I did find it interesting however that I had just installed the Portable App launcher and Portable Thunderbird (among other Portable Apps) a day or so before, and that I found a "textreplace.dll" file in a different LocalSettings\Temp\nxxxxxx.tmp folder that also has other system and registry .dll files created and modified at the same time as this second folder's textreplace.dll, but earlier than the date I installed GnuCash. (Since I also found a flashpage jpeg image of Thunderbird Portable in that folder, I'm guessing this nxxxxxx.tmp folder may have been created either as a Thunderbird Portable temp folder or as a shared PortableApps folder in my C drive's temp folder. Not sure which process put it there and what its purpose was/is.)

Yet the keylogger culprit "textreplace.dll" file - the one that triggered the alert later during the GnuCash installation now appears to be gone (since I removed GnuCash), and the nsh1235.tmp folder it was supposedly in was never found on my C system in the first place, (which seemed strange since my firewall flagged it as a keylogger in that folder on my C drive, before I removed GnuCash from the flash drive).

So sorry this is so long. It was rather disturbing so I felt it was at least worth mentioning. I've removed the app, but is this something that needs to be fixed and that we need to be concerned about?

Perhaps someone can explain what exactly textreplace.dll is, it's purpose, and whether it is safe/customary for GnuCash Ptbl, Thunderbird Ptbl, or PortableApps to use it?

God bless.

Chris Morgan
Chris Morgan's picture
Last seen: 9 years 3 weeks ago
Joined: 2007-04-15 21:08
NSIS Plugin, perfectly safe

It's an NSIS plugin, and is perfectly safe. Feel free to look at Other\Source\GnuCashPortable.nsi and the TextReplace plugin page for details. Most of our apps use TextReplace and the ReplaceInFile macro, to update the drive letter in config files. The installers may also use it.

The Temp\n*.tmp stuff is where NSIS executables (as are our installers and launchers) extract things temporarily, e.g. the splash screen and plugins. They get removed at the end.

Rest assured that it's all fine. Could you please also tell us what the firewall software is, as well, so that we (or you) can report it to the manufacturer as a false positive.

Thanks for asking, it's much better to ask than to just leave Smile

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

Last seen: 11 years 7 months ago
Joined: 2009-07-20 20:33
Ok, if you're sure it's safe...

It's Online Armor.

Thanks for responding, Chris.
Have a great day.

Log in or register to post comments