/vmfs/volumes/59f5094e-f86e82f9-607e-001e4f24fc12/Windows server # ls -l *

-rw-------    1 root     root     11190468608 Feb  4 05:59 Windows server-000001-delta.vmdk

-rw-------    1 root     root           354 Feb  4 06:52 Windows server-000001.vmdk

-rw-------    1 root     root         65536 Feb  4 22:24 Windows server-000002-delta.vmdk

-rw-------    1 root     root           338 Feb  4 22:24 Windows server-000002.vmdk

-rw-------    1 root     root         29268 Feb  4 22:24 Windows server-Snapshot64.vmsn

-rw-r--r--    1 root     root            13 Jan  7 09:44 Windows server-aux.xml

-rw-------    1 root     root     32212254720 Jan  7 10:28 Windows server-flat.vmdk

-rw-------    1 root     root          8684 Feb  4 06:58 Windows server.nvram

-rw-------    1 root     root           501 Jan  7 09:44 Windows server.vmdk

-rw-r--r--    1 root     root          1675 Feb  4 22:24 Windows server.vmsd

-rwxr-xr-x    1 root     root          3637 Feb  4 22:24 Windows server.vmx

-rw-r--r--    1 root     root           372 Feb  4 06:52 Windows server.vmxf

-rw-r--r--    1 root     root        252274 Dec 18 16:17 vmware-10.log

-rw-r--r--    1 root     root        368085 Jan  7 09:19 vmware-11.log

-rw-r--r--    1 root     root        527608 Feb  4 05:59 vmware-12.log

-rw-r--r--    1 root     root        181255 Feb  4 06:27 vmware-13.log

-rw-r--r--    1 root     root       2860090 Nov 20 11:28 vmware-8.log

-rw-r--r--    1 root     root        256583 Dec 13 00:23 vmware-9.log

-rw-r--r--    1 root     root        181976 Feb  4 06:58 vmware.log

THIS WILL BE CORECT DUMP?

You may need to review your problem description ? - the file-list says that there is a vmsn ???

I created snapshot after I deleted first vmsn

Windows server-Snapshot64.vmsn

Can we consolidate the snapshot-chain ?

Can you please connect to your ESXi with WinSCP and download:

the vmx-file

the vmsd and vmsn-file

and all vmdk-files without "flat" or "delta" in the name ?

There is

"Windows server-Snapshot63.vmsn" is missing. Without that file you will not be able to go back to the state "07012020 1244"

But do you really need to go back to the hot state "07012020 1244" ?

Are the files:

"/vmfs/volumes/59f511db-09abd1a1-6abd-001e4f24fc12/Windows server/Windows server_1.vmdk"

"/vmfs/volumes/59f511db-09abd1a1-6abd-001e4f24fc12/Windows server/Windows server_2.vmdk"

"/vmfs/volumes/59f511db-09abd1a1-6abd-001e4f24fc12/Windows server/Windows server_3.vmdk"

"/vmfs/volumes/59f511db-09abd1a1-6abd-001e4f24fc12/Windows server/Windows server_1-000001.vmdk"

"/vmfs/volumes/59f511db-09abd1a1-6abd-001e4f24fc12/Windows server/Windows server_2-000001.vmdk"

"/vmfs/volumes/59f511db-09abd1a1-6abd-001e4f24fc12/Windows server/Windows server_3-000001.vmdk"

available ?

Please show descriptor-vmdks for the those vmdks.

I think that if you rename the still existing name.vmsn to name.vmsn,org

and also hide or rename the existing vmsd the VM should work.

Well that assumes the other vmdk-descriptorfiles dont have additional issues.

I would recommend to completely get rid of the snapshots by doing a manual consolidation via vmkfstools if that is an option.

This is the only snapshot i have and server was decrypted (all files) by pharma virus.

I could be wrong, but from what I understand, the virus hit/encrypted the VM while it was running on Snapshot 1.

If that's the case, it  would be necessary to reset the VM to its base disks from January, 7th, i.e. discarding all snapshots.

André

Thanks, I will try it.

Raimond - Andres question is very important - if all 000001-deltas are infected you must discard all snapshots.

So the question is: when did you hit the virus ?

We have to answer this question BEFORE you run any of the vmkfstools command

I hit the virus on 03.02.2020!

Just saw log-11 !

According to that we have to assume that on 7.1.2020 the config was modified manually - otherwise I dont have an explanation for basedisks with a timestamp from 71.2020.

According to vmware-011.log the VM was running on a snapshot since 18.12.2019

So it is essential to know when the virus hit -it may be possible that the basedisks are affected if the config was changed manually ....

What ever you do - never start this VM in any state with connect network.

If we cant figure out the complete history precisely I would also avoid to ever boot the into its own Windows.

Rather experiment with one datadisk from a Linux-liveCD !!!

If possible I would even suggest to rebuild the Windows from scratch and just use the existing vmdks to extract the essential data - preferably using an isolated LinuxliveCD to do that.

My steps:

1. I will add new datastore (new hard drive), because i have small space available.

2. Copy all datastores files to new datastore (for backup)

3. I will try vmkfstools from commandline to consolidate all vmdks one by one and using vmx-file to run the VM with the consolidated vmdks.

4. If it doesnt work or if these files will be infected, i will create new VM and install it.

5. Using livecd linux on new created VM mount vdmk files and copy necessary files to VM filesystem.

Thats correct steps?

The order of steps makes sense.

But make sure you play it safe ! - remove the nics and dont boot the operating system on disk.

If possible I would like to inspect the results after vmkfstools - so far I have not seen malware like that in action.

I would like to look at such a case just to find out if I can diagnose an infected virtual disk before actually starting a VM at all.

Just curious - so decide yourself if a teamviewer-session is possible / wanted.

Ulli