Login

u/AffectionateWest5395

▲ 0 r/antivirus

Found pythonw.exe running from Startup after card fraud. What else should I check?

Hi everyone,

I had some suspicious card/account activity recently, and while checking my PC I found something that doesn’t look right.

Bitdefender showed a phishing attempt that was accessed by pythonw.exe. After that I searched the system and found a pythonw.exe shortcut inside the Windows Startup folder.

I also found a couple of suspicious folders under ProgramData. One of them had a random-looking name, and another one had a name that basically looked like “suspect do not run.” I deleted those and also removed the Startup shortcut.

Then I ran a full Bitdefender scan. It found and resolved 27 items, with 0 unresolved. Most of the detections seemed to come from old downloaded installers/archives I had sitting around.

What I already did:

  • Deleted the suspicious pythonw.exe Startup shortcut
  • Deleted suspicious folders from ProgramData
  • Removed old installers and archives I didn’t trust
  • Emptied Recycle Bin
  • Ran a full scan
  • Restarted the PC
  • Scanned again
  • Replaced the affected card
  • Changed important passwords from a clean device
  • Enabled 2FA and account alerts where possible

I know pythonw.exe can be normal, but in this case it was tied to a phishing alert and a Startup shortcut, so I’m treating it as suspicious.

What else should I check to make sure there’s no persistence left?

I’m thinking:

  • Task Scheduler
  • Services
  • Startup apps
  • Browser extensions
  • Saved browser sessions/cookies
  • Registry Run keys
  • Any unknown Python installs or scripts

Is there anything else I should look at?

Not asking how to run or bypass anything. I’m only trying to clean up the machine and make sure it’s safe.

reddit.com
u/AffectionateWest5395 — 3 days ago
▲ 0 r/antivirus

I found a hidden pythonw.exe running after suspicious card activity — sharing this as a security warning

https://preview.redd.it/mkqi14mkxb0h1.png?width=1254&format=png&auto=webp&s=f23dc890f2d76412435b3d3deba3a958d46e7e64

I’m sharing this because I wish I had taken the warning signs more seriously earlier.

A while ago, I started seeing suspicious activity involving my financial accounts/cards. At first, I didn’t immediately connect it to my computer. I thought maybe it was a leaked card, PayPal, or some random online transaction.

But after checking my PC more carefully, I found something that really concerned me.

There was a hidden pythonw.exe running in the background. Bitdefender also blocked a phishing page connected to crewcrewcrew.com, and the activity was linked to pythonw.exe.

I also found suspicious Startup behavior, which means something may have been set to run automatically when Windows started.

That was the moment I realized this was not just a normal antivirus alert.

I can’t say with 100% certainty that every suspicious card charge came from this, but my system was clearly exposed to something risky.

After running a full system scan, Bitdefender reported:

  • 27 threats resolved
  • 0 unresolved threats
  • Multiple detections related to suspicious tools, bundled installers, and unwanted applications
  • Suspicious files inside downloaded archives
  • A phishing attempt connected to a background process

Some suspicious locations included:

C:\ProgramData\...

and a Startup shortcut similar to:

AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pythonw.exe.lnk

That Startup shortcut was especially concerning because it could allow the process to relaunch after reboot.

What I did immediately:

  1. Removed suspicious Startup items
  2. Deleted suspicious folders from ProgramData
  3. Removed unknown installers, old archives, and suspicious downloads
  4. Emptied the Recycle Bin
  5. Ran a full antivirus scan
  6. Restarted and scanned again
  7. Replaced affected cards
  8. Changed important passwords from a clean device
  9. Enabled account alerts and 2FA
  10. Stopped downloading software from unknown sources

My biggest takeaway:

If you see pythonw.exe running and you don’t know why, don’t ignore it. pythonw.exe can be legitimate, but it can also run silently in the background without showing a window. That makes it risky when abused.

Also, don’t assume a file is safe just because Windows Defender didn’t warn you immediately. Some threats may only appear during a deeper scan, and some archived files may not be fully scanned if they are protected or compressed in unusual ways.

I’m not posting this to blame one specific website, antivirus, or service. I’m posting it because this was a wake-up call for me.

The stress of dealing with suspicious card activity, possible stolen sessions, and password concerns is not worth taking chances with unknown software.

Please check your systems.

Check Startup folders.
Check Task Scheduler.
Search for suspicious pythonw.exe locations.
Remove unknown installers and suspicious archives.
Change passwords from a clean device.
Turn on 2FA.
Monitor your bank and PayPal activity.

A “free” download can end up costing far more than expected.

reddit.com
u/AffectionateWest5395 — 4 days ago