Sasser.A Remover for Windows: Complete Removal Checklist (Feb 3, 2026)
Before you start
- Backup: Save personal files to an external drive or cloud.
- Disconnect: Unplug from networks (Wi‑Fi/Ethernet) to prevent spread.
- Admin account: Log in as a local administrator.
Tools you’ll need
- Up-to-date antivirus/anti-malware (Windows Defender, Malwarebytes, or similar)
- Sasser-specific removal tool from a reputable vendor (if available)
- Windows installation media or System Restore access (for advanced repair)
- Safe Mode access (F8/Shift+Restart)
Step-by-step removal
-
Boot into Safe Mode with Networking
- Hold Shift and click Restart → Troubleshoot → Advanced options → Startup Settings → Restart → choose Safe Mode with Networking.
-
Update signatures
- Open your antivirus/anti-malware and update virus definitions.
-
Run full scans
- Run a full system scan with Windows Defender and then with a second scanner (e.g., Malwarebytes). Quarantine/remove detected items.
-
Use a Sasser-specific remover
- If a vendor provides a Sasser.A removal tool, download from the vendor site and run it. Follow instructions to remove leftover components.
-
Check and stop malicious processes/services
- Open Task Manager and Services. Look for suspicious entries (unfamiliar names or svchost duplicates). End tasks and disable services that are confirmed malicious.
-
Remove autorun entries
- Run msconfig or Autoruns (Sysinternals). Disable startup entries related to Sasser components.
-
Delete infected files
- Common Sasser files: look for suspicious EXEs in C:\Windows\ and C:\Windows\System32\ (confirm with scanner/quarantine lists before deleting). Do not delete system files unless guidance confirms maliciousness.
-
Repair system files
- Run Command Prompt as admin:
Code
sfc /scannow DISM /Online /Cleanup-Image /RestoreHealth - Reboot after completion.
- Run Command Prompt as admin:
-
Apply patches
- Install latest Windows updates—especially MS03-026/LSASS patch historically associated with Sasser—and confirm system is fully patched.
-
Restore network and monitor
- Reconnect to network. Monitor system behavior and run another full scan.
Post-removal steps
- Change passwords on accounts accessed from the machine (do this from a known-clean device).
- Check other devices on the same network for signs of infection and scan them.
- Enable automatic updates and real-time protection.
- Create a system restore point after confirming the machine is clean.
If removal fails or system unstable
- Use System Restore to roll back to a clean point.
- Perform an in-place repair install of Windows (keeps files/apps).
- Full reinstall (clean install) if the system cannot be trusted.
Quick checks to confirm removal
- No Sasser-related detections on multiple scanners.
- No suspicious startup entries or unfamiliar services.
- sfc /scannow reports no integrity violations.
- Normal CPU/network usage restored.
If you want, I can provide vendor download links, a list of common Sasser filenames/process names to look for, or step-by-step commands for Autoruns and Registry cleanup.
Leave a Reply