# ============================================================================== # AUDIT-SYSTEM-V2.PS1 - VERSION OPTIMISEE (RAPIDE) # ============================================================================== # Audit complet du systeme Windows pour detecter residus Symantec/Norton # VERSION 2: Utilise le registre au lieu de Win32_Product (100x plus rapide) # ============================================================================== #Requires -Version 5.1 # Configuration $ErrorActionPreference = "Continue" $logPath = "$env:TEMP\Audit-System-$(Get-Date -Format 'yyyyMMdd-HHmmss').log" $uploadUrl = "https://super.boarder.w-turn.org/utilities/diagnostic-receiver.php" # Verification admin $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) # Fonctions utilitaires function Write-Log { param([string]$Message) $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" "[$timestamp] $Message" | Out-File -FilePath $logPath -Append -Encoding UTF8 } function Write-Section { param([string]$Title) $separator = "="*80 Write-Host "`n$separator" -ForegroundColor Cyan Write-Host " $Title" -ForegroundColor Cyan Write-Host "$separator" -ForegroundColor Cyan Write-Log "`n$separator" Write-Log " $Title" Write-Log "$separator" } # En-tete Clear-Host Write-Host "="*80 -ForegroundColor Cyan Write-Host " AUDIT SYSTEME - DETECTION SYMANTEC/NORTON (VERSION RAPIDE)" -ForegroundColor White Write-Host "="*80 -ForegroundColor Cyan Write-Host "" Write-Host "Log: $logPath" -ForegroundColor Yellow Write-Host "Admin: $(if($isAdmin){'OUI'}else{'NON (certaines verifications limitees)'})" -ForegroundColor $(if($isAdmin){'Green'}else{'Yellow'}) Write-Host "" Write-Log "=== AUDIT SYSTEME DEMARRE ===" Write-Log "Version: 2.0 (OPTIMISEE - REGISTRE)" Write-Log "Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" Write-Log "Admin: $isAdmin" Write-Log "Machine: $env:COMPUTERNAME" Write-Log "Utilisateur: $env:USERNAME" try { # Section 1: Informations systeme Write-Section "INFORMATIONS SYSTEME" $os = Get-WmiObject Win32_OperatingSystem $cs = Get-WmiObject Win32_ComputerSystem Write-Host " OS: $($os.Caption) $($os.Version)" -ForegroundColor White Write-Host " Ordinateur: $($cs.Name)" -ForegroundColor White Write-Host " Domaine: $($cs.Domain)" -ForegroundColor White Write-Host " Membre domaine: $(if($cs.PartOfDomain){'OUI'}else{'NON'})" -ForegroundColor $(if($cs.PartOfDomain){'Green'}else{'Yellow'}) Write-Log "OS: $($os.Caption) $($os.Version)" Write-Log "Ordinateur: $($cs.Name)" Write-Log "Domaine: $($cs.Domain)" Write-Log "Membre domaine: $($cs.PartOfDomain)" # Section 2: Recherche du pilote SvThANSP.sys Write-Section "RECHERCHE PILOTE SvThANSP.sys" $driverPaths = @( "$env:SystemRoot\System32\drivers\SvThANSP.sys", "$env:SystemRoot\System32\DriverStore\FileRepository\*\SvThANSP.sys" ) $foundDrivers = @() foreach ($path in $driverPaths) { if ($path -like "*\*\*") { $foundFiles = Get-ChildItem -Path ($path -replace '\\\*\\.*$','') -Recurse -Filter "SvThANSP.sys" -ErrorAction SilentlyContinue $foundDrivers += $foundFiles } else { if (Test-Path $path) { $foundDrivers += Get-Item $path } } } if ($foundDrivers) { Write-Host "`n[ERR] Pilote trouve:" -ForegroundColor Red $foundDrivers | ForEach-Object { Write-Host " Chemin: $($_.FullName)" -ForegroundColor Yellow Write-Host " Taille: $($_.Length) octets" -ForegroundColor White Write-Host " Modifie: $($_.LastWriteTime)" -ForegroundColor White Write-Log "PILOTE TROUVE: $($_.FullName) - $($_.Length) octets - $($_.LastWriteTime)" } } else { Write-Host "[OK] Aucun pilote SvThANSP.sys trouve" -ForegroundColor Green Write-Log "Pilote SvThANSP.sys: NON TROUVE" } # Section 3: Services SvTh* Write-Section "SERVICES SvTh* (SYMANTEC THREAT)" $svthServices = Get-Service -Name "SvTh*" -ErrorAction SilentlyContinue if ($svthServices) { Write-Host "`n[WARN] Services SvTh* trouves:" -ForegroundColor Yellow $svthServices | ForEach-Object { Write-Host " Nom: $($_.Name)" -ForegroundColor White Write-Host " Nom affiche: $($_.DisplayName)" -ForegroundColor White Write-Host " Statut: $($_.Status)" -ForegroundColor $(if($_.Status -eq 'Running'){'Red'}else{'Yellow'}) Write-Host " Type demarrage: $($_.StartType)" -ForegroundColor White Write-Log "SERVICE SvTh: $($_.Name) - Statut: $($_.Status) - Demarrage: $($_.StartType)" } } else { Write-Host "[OK] Aucun service SvTh* trouve" -ForegroundColor Green Write-Log "Services SvTh*: AUCUN" } # Section 4: Tous les services Symantec/Norton Write-Section "SERVICES SYMANTEC/NORTON" $allServices = Get-Service | Where-Object { $_.Name -like "*Symantec*" -or $_.Name -like "*Norton*" -or $_.DisplayName -like "*Symantec*" -or $_.DisplayName -like "*Norton*" } if ($allServices) { Write-Host "`n[WARN] Services trouves:" -ForegroundColor Yellow $allServices | ForEach-Object { Write-Host " Nom: $($_.Name)" -ForegroundColor White Write-Host " Affichage: $($_.DisplayName)" -ForegroundColor White Write-Host " Statut: $($_.Status)" -ForegroundColor $(if($_.Status -eq 'Running'){'Red'}else{'Yellow'}) Write-Log "SERVICE: $($_.Name) - $($_.DisplayName) - Statut: $($_.Status)" } } else { Write-Host "[OK] Aucun service Symantec/Norton trouve" -ForegroundColor Green Write-Log "Services Symantec/Norton: AUCUN" } # Section 5: Programmes installes (METHODE RAPIDE via REGISTRE) Write-Section "PROGRAMMES SYMANTEC/NORTON INSTALLES (REGISTRE)" Write-Host "Recherche rapide dans le registre..." -ForegroundColor Yellow $registryPaths = @( "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" ) $programs = @() foreach ($path in $registryPaths) { $programs += Get-ItemProperty $path -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like "*Symantec*" -or $_.DisplayName -like "*Norton*" } } if ($programs) { Write-Host "`n[WARN] Programmes trouves:" -ForegroundColor Yellow $programs | ForEach-Object { Write-Host " Nom: $($_.DisplayName)" -ForegroundColor White if ($_.DisplayVersion) { Write-Host " Version: $($_.DisplayVersion)" -ForegroundColor White } if ($_.Publisher) { Write-Host " Editeur: $($_.Publisher)" -ForegroundColor White } if ($_.InstallDate) { Write-Host " Date install: $($_.InstallDate)" -ForegroundColor White } Write-Host "" Write-Log "PROGRAMME: $($_.DisplayName) - Version: $($_.DisplayVersion) - Editeur: $($_.Publisher)" } } else { Write-Host "[OK] Aucun programme Symantec/Norton trouve" -ForegroundColor Green Write-Log "Programmes Symantec/Norton: AUCUN" } # Section 6: Pilotes non signes ou suspects Write-Section "PILOTES NON SIGNES OU SUSPECTS" if ($isAdmin) { Write-Host "Analyse des pilotes installes..." -ForegroundColor Yellow $drivers = Get-WindowsDriver -Online -ErrorAction SilentlyContinue | Where-Object { $_.ProviderName -like "*Symantec*" -or $_.ProviderName -like "*Norton*" -or $_.OriginalFileName -like "*Sv*" -or $_.OriginalFileName -like "*Norton*" } if ($drivers) { Write-Host "`n[WARN] Pilotes suspects trouves:" -ForegroundColor Yellow $drivers | ForEach-Object { Write-Host " Nom: $($_.OriginalFileName)" -ForegroundColor White Write-Host " Fournisseur: $($_.ProviderName)" -ForegroundColor White Write-Host " Version: $($_.Version)" -ForegroundColor White Write-Host " Classe: $($_.ClassName)" -ForegroundColor White Write-Log "PILOTE: $($_.OriginalFileName) - Fournisseur: $($_.ProviderName)" } } else { Write-Host "[OK] Aucun pilote suspect trouve" -ForegroundColor Green Write-Log "Pilotes suspects: AUCUN" } } else { Write-Host "[INFO] Verification pilotes necessite droits admin" -ForegroundColor Yellow Write-Log "Verification pilotes: NON (pas admin)" } # Section 7: Taches planifiees Write-Section "TACHES PLANIFIEES SYMANTEC/NORTON" $tasks = Get-ScheduledTask -ErrorAction SilentlyContinue | Where-Object { $_.TaskName -like "*Symantec*" -or $_.TaskName -like "*Norton*" -or $_.TaskPath -like "*Symantec*" -or $_.TaskPath -like "*Norton*" } if ($tasks) { Write-Host "`n[WARN] Taches planifiees trouvees:" -ForegroundColor Yellow $tasks | ForEach-Object { Write-Host " Nom: $($_.TaskName)" -ForegroundColor White Write-Host " Chemin: $($_.TaskPath)" -ForegroundColor White Write-Host " Etat: $($_.State)" -ForegroundColor White Write-Log "TACHE: $($_.TaskPath)$($_.TaskName) - Etat: $($_.State)" } } else { Write-Host "[OK] Aucune tache planifiee trouvee" -ForegroundColor Green Write-Log "Taches planifiees: AUCUNE" } # Section 8: Processus en cours Write-Section "PROCESSUS SYMANTEC/NORTON EN EXECUTION" $processes = Get-Process -ErrorAction SilentlyContinue | Where-Object { $_.ProcessName -like "*Symantec*" -or $_.ProcessName -like "*Norton*" -or $_.ProcessName -like "*Sv*" -or $_.Description -like "*Symantec*" -or $_.Description -like "*Norton*" } if ($processes) { Write-Host "`n[WARN] Processus trouves:" -ForegroundColor Yellow $processes | ForEach-Object { Write-Host " Nom: $($_.ProcessName)" -ForegroundColor White Write-Host " PID: $($_.Id)" -ForegroundColor White Write-Host " Memoire: $([math]::Round($_.WorkingSet64/1MB,2)) MB" -ForegroundColor White if ($_.Path) { Write-Host " Chemin: $($_.Path)" -ForegroundColor White } Write-Log "PROCESSUS: $($_.ProcessName) (PID: $($_.Id))" } } else { Write-Host "[OK] Aucun processus trouve" -ForegroundColor Green Write-Log "Processus: AUCUN" } # Recommandations Write-Section "RECOMMANDATIONS DE NETTOYAGE" $hasIssues = $foundDrivers -or $svthServices -or $allServices -or $programs -or $tasks -or $processes if ($hasIssues) { Write-Host "Des residus Symantec/Norton ont ete detectes." -ForegroundColor Yellow Write-Host "`nEtapes recommandees:" -ForegroundColor Cyan Write-Host "" if ($programs) { Write-Host "1. DESINSTALLER LES PROGRAMMES" -ForegroundColor White Write-Host " - Panneau de configuration > Programmes > Desinstaller" -ForegroundColor Gray Write-Host " - Utiliser Norton Remove and Reinstall Tool:" -ForegroundColor Gray Write-Host " https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN" -ForegroundColor Gray Write-Host "" } if ($allServices -or $svthServices) { Write-Host "2. DESACTIVER ET SUPPRIMER LES SERVICES" -ForegroundColor White if ($svthServices) { $svthServices | ForEach-Object { Write-Host " sc.exe config $($_.Name) start= disabled" -ForegroundColor Gray Write-Host " sc.exe delete $($_.Name)" -ForegroundColor Gray } } Write-Host "" } if ($foundDrivers) { Write-Host "3. SUPPRIMER LES FICHIERS PILOTES" -ForegroundColor White $foundDrivers | ForEach-Object { Write-Host " del `"$($_.FullName)`"" -ForegroundColor Gray } Write-Host "" } if ($tasks) { Write-Host "4. SUPPRIMER LES TACHES PLANIFIEES" -ForegroundColor White $tasks | ForEach-Object { Write-Host " Unregister-ScheduledTask -TaskName '$($_.TaskName)' -Confirm:`$false" -ForegroundColor Gray } Write-Host "" } Write-Host "5. REDEMARRER LE SYSTEME" -ForegroundColor White Write-Host " shutdown /r /t 0" -ForegroundColor Gray Write-Host "" Write-Log "`nRECOMMANDATION: Nettoyage requis - residus detectes" } else { Write-Host "[OK] Aucun residu Symantec/Norton detecte !" -ForegroundColor Green Write-Host "Le systeme semble propre." -ForegroundColor Green Write-Log "RESULTAT: Systeme propre - aucun residu" } Write-Log "=== AUDIT TERMINE AVEC SUCCES ===" } catch { Write-Host "`n[ERR] Erreur durant l'audit: $($_.Exception.Message)" -ForegroundColor Red Write-Log "ERREUR: $($_.Exception.Message)" Write-Log "Stack: $($_.ScriptStackTrace)" } # Fin Write-Host "`n$('='*80)" -ForegroundColor Cyan Write-Host "AUDIT TERMINE" -ForegroundColor Green Write-Host "Log sauvegarde: $logPath" -ForegroundColor Yellow Write-Host "$('='*80)" -ForegroundColor Cyan Write-Host "" # Upload automatique du log Write-Host "Upload du log vers le serveur..." -ForegroundColor Yellow try { $boundary = [System.Guid]::NewGuid().ToString() $logContent = Get-Content $logPath -Raw -Encoding UTF8 $fileName = Split-Path $logPath -Leaf $bodyLines = @( "--$boundary", "Content-Disposition: form-data; name=`"file`"; filename=`"$fileName`"", "Content-Type: text/plain", "", $logContent, "--$boundary--" ) $body = $bodyLines -join "`r`n" $response = Invoke-RestMethod -Uri $uploadUrl -Method Post -ContentType "multipart/form-data; boundary=$boundary" -Body $body Write-Host "[OK] Log uploade avec succes !" -ForegroundColor Green Write-Host "Consultez: https://super.boarder.w-turn.org/utilities/log-viewer.html" -ForegroundColor Cyan } catch { Write-Host "[WARN] Impossible d'uploader le log: $($_.Exception.Message)" -ForegroundColor Yellow Write-Host "Vous pouvez uploader manuellement: https://super.boarder.w-turn.org/utilities/diagnostic.html" -ForegroundColor Yellow } Write-Host "`nAppuyez sur une touche pour fermer..." $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")