I have a client who started their computer and the mouse started moving around, files were being deleted, etc. It looked purposeful, not eratic. This client soon after unplugged the Ethernet cable and brought the machine to me.
I found it was running TV 10. I opened up the logs folder and expected to see mutiple logs files including the connections logs. Instaed there are only two log files; TeamViewer10_Logfile and TeamViewer10_Logfile_OLD. There was a log of activity during the time the user thought someone was in their computer. However, I'm not clear how to read these log files. Could someone tell me what to look for to know if a remote connection was made through TV?
I see tons of log entries like this
2017/10/11 10:06:22.048 2036 3152 S0!! HttpQueryInfo(20) size failed with error 12019, Errorcode=12019 2017/10/11 10:06:22.048 2036 3152 S0!! HttpQueryInfoNum(19) failed with error 12019, Errorcode=12019
But during the time in question I see things that worry me. Once I know what I'm looking at, I can post the relevant parts of the log if needed. I tried to call TV support, but they don't seem to have phone support without an active license.
To summarize my two main questions are
Look for a file C:\Program Files\TeamViewer\Connections_incoming.txt
This should be present for TeamViewer 10 and newer, not sure about older versions.
In the TeamViewer Log files you already found, search for client hello received from - this will be followed by the TeamViewer ID that connected.
Secure your computer. Change your password, prevent full control without approval. I believe TeamViewer has a fraud department you can report to if needed.