Existing computer terminals can perform various data processing procedures, such as recovering a master boot record (MBR) during a hardware booting, recovering files and data in a disk by an operating system, and recovering functions during application program running.
(I) MBR Recovery
Conventionally, booting the hardware in a computer may comprise following steps. Firstly, the hardware is powered on. Then, POST (Power-on Self-test) codes for initiating, self-testing and booting the system are executed. Then, the MBR is read from sector 0 of the disk to memory address 0000:7c00, and then address 0000:7c00 is jumped to so that a corresponding program is executed during POST. Finally, the MBR looks for a first active partition, loads a booting sector of the first active partition into the memory and executes the booting sector, so as to boot the operating system, in which the booting sector includes startup codes for booting the operating system.
It can be seen from the above procedures that, MBR plays an important role during the booting. MBR includes two parts, a first part of which is a small piece of program and configured to look for the active partition, and a second part of which is a partition table. The MBR can be modified by a variety of ways, such as modified manually when the operating system is installed, modified by a multi-program booting management software, modified by a disk partitioning and recovering software, modified by an antivirus software, and modified by a malicious software.
Specifically, taking modifying the MBR by the malicious software as an example, by modifying the MBR, the malicious software will take over the operating system before the operating system is booted, so as to perform illegal operation on the computer. Currently, it is possible to detect by the antivirus software whether the MBR is modified by the malicious software. When the antivirus software detects that the MBR is modified by the malicious software, it will attempt to recover the MBR. Conventionally, the antivirus software generally recovers the MBR according to following steps. Firstly, the original MBR is obtained (for example, obtained by reading a backup file). Then, the current “modified MBR” is obtained. The modified MBR may be obtained after the malicious software modifies the original MBR. Subsequently, the partition table is fetched from the current “modified MBR” and put into the original MBR to form “MBR used for recovery”. Finally, the “MBR used for recovery” is written into sector 0 of the disk, so that it is possible to enter the computer system by running the MBR used for recovery after rebooting the computer.
The inventors found that, although the above method for recovering MBR can enable the user to boot the normal operating system so as to enter the system, since there are some risks during the above recovery procedure (for example, whether or not the correct original MBR can be obtained is uncontrollable, whether or not the correct partition table can be fetched is uncontrollable, and the recovery result is uncontrollable), the operating system still may not be booted normally.
Specifically, the risks may include the following. 1) The original MBR modified by a plurality of legal and normal programs may be obtained, but it is unable to obtain the correct original MBR if the original MBR has been modified and infected by the malicious software; thus, it becomes a very dangerous thing to recover the obtained MBR. 2) The partition table is at a fixed location in the MBR by default, which is important information referred by the operating system; if the partition table produces errors, booting the operating system will fail. The MBR generally can be accessed and read. However, since various disk recovering software and antivirus software prevent accessing the MBR or return false MBR, the correct original MBR cannot be obtained due to a certain risk presented during fetching and combining the partition table. The above risks are unpredictable and unavoidable. Once such risks occur, the operating system will be destroyed drastically.
(II) File Recovery
The file system in the computer is a system used for organizing files and data, which is generally established in the disk and makes it easier to look for and access data. The operating system itself is composed of files, which are collectively referred to as system files. The system files comprise executable binary files and unexecutable data files. Since the system files will be run and loaded when the operating system boots and runs, it is a common way for the malicious software, viruses and Trojans to modify and replace key system files. Thus, the malicious software, viruses and Trojans can hide themselves by such a way and obtain a chance to run.
When the antivirus software detects that the system files are modified and replaced maliciously, it will attempt to clear the malicious software, i.e., repair or recover the files which are maliciously modified and replaced. If it fails to repair or recover the files which are maliciously modified and replaced, the antivirus software attempts to delete the files so as to eliminate influences of the malicious software on the operating system and user files.
Existing antivirus software repairs or recovers the files which are maliciously modified and replaced as follows. The antivirus software starts to scan the system files and detect whether the files are modified and replaced maliciously, and if yes, the antivirus software begins to repair or recover the system files. During repairing or recovering the system files, it is firstly checked whether the files can be repaired. If the files can be repaired, the repair is executed. If the repair succeeds, the procedure ends. If the files cannot be repaired or the repair fails, the antivirus software attempts to recover the files. During recovering the files, it is firstly checked whether the files can be recovered. If the files can be recovered, the recovery is executed. If the recovery succeeds, the procedure ends. If the files cannot be recovered or the recovery fails, the antivirus software attempts to delete the files. During deleting the files, it is firstly checked whether the files can be deleted. If the files can be deleted, the deletion is executed. If the deletion succeeds, the procedure ends. If the files cannot be deleted or the deletion fails, the antivirus software fails to repair or recover the files and the procedure ends.
The inventors found that there are such risks existing in the above processing procedure. 1) There are risks for repairing the files. The files are generally repaired according to the included database of the antivirus software. However, since the malicious software, viruses and Trojans may vary, it will result in a repair failure. Such a failure is unpredictable. If the modified and replaced files are key files for booting the system, the repair failure will result in a failure of booting the operating system. Such a failure cannot be recovered. 2) There are risks for deleting the files. Similar to the above risk 1), if it fails to repair or recover the files, most of the antivirus softwares will attempt to delete the files. If the modified and replaced files are key files for booting the operating system or key files necessary for normal working of the system, the operating system cannot boot or work normally after the files are deleted. Such a fault is also fatal.
Currently, there is still no effective solution proposed regarding the problem in the conventional technology that the system cannot work normally due to the failure of recovering the system or the system files.