Possible Unauthorized Use - Help with Logs

I have a client who started their computer and the mouse started moving around, files were being deleted, etc. It looked purposeful, not eratic. This client soon after unplugged the Ethernet cable and brought the machine to me.

I found it was running TV 10. I opened up the logs folder and expected to see mutiple logs files including the connections logs. Instaed there are only two log files; TeamViewer10_Logfile and TeamViewer10_Logfile_OLD. There was a log of activity during the time the user thought someone was in their computer. However, I'm not clear how to read these log files. Could someone tell me what to look for to know if a remote connection was made through TV?

I see tons of log entries like this

2017/10/11 10:06:22.048  2036  3152 S0!! HttpQueryInfo(20) size failed with error 12019, Errorcode=12019
2017/10/11 10:06:22.048  2036  3152 S0!! HttpQueryInfoNum(19) failed with error 12019, Errorcode=12019

But during the time in question I see things that worry me. Once I know what I'm looking at, I can post the relevant parts of the log if needed. I tried to call TV support, but they don't seem to have phone support without an active license.

To summarize my two main questions are

Should I have connections logs as well as the TeamViewer10 logs?
What do I look for in the logs to verify a remote connection was made, where from, for how long, and any other relevant info?

Find more posts tagged with

Comments

Chiron

Look for a file C:\Program Files\TeamViewer\Connections_incoming.txt

This should be present for TeamViewer 10 and newer, not sure about older versions.

In the TeamViewer Log files you already found, search for client hello received from - this will be followed by the TeamViewer ID that connected.

Secure your computer. Change your password, prevent full control without approval. I believe TeamViewer has a fraud department you can report to if needed.