I'll try to keep this short. Please be patient with me as I was hit by a truck 7 months ago and suffered head trama.

Now I'm not sure how to fix this problem, or exactly how wide spread it is, but here's the basics: I am a MCP (not active other than personal applications)

A Life long friend asked for help with his  company's network.(he was looking for a second opinion) After I  did some basic stuff, including research, mapping etc.) I was asked to install a new desktop. I did that, but hadn't got to properly configuring it/adding it to the network when the problems started. Now the Company that my friend hired and pays to secure and service this network(as needed) was unaware that I was looking around and assisting my friend. Anyway  a few programs had been pulled from the server and installed/updated and used on this new desktop/client without any issue. So my friend was a little upset with me thinking I screwed something up ,I assured him I hadn't requested the proper credentials to dig deeper and this is a verbal summary of what I've discovered / found, and suspect.

The current IT Company has disabled Security logs on most computers including the server.

They have un installed or Disabled most or all AV / anti Malware.

They do not use AD

They use 3rd party Remote Login Software.

KVM Switch installed at the server.

I am terrible at reading logs and have only a very basic understanding of them but I can say this, I have a unique gift that GOD has blessed me with and it works when it wants (like when Sony was hacked into, I knew instantly as I was on the same network as a psII and sensed the chaos while browsing the web, logged into my router to check what was going on and sure enough.) anyway. I have a bunch of logs from the computer that was added to the network and sabotaged by someone via a kvm switch with admin privileges. Furthermore this gentleman  I would wager is doing this or something very similar to countless others as he is the owner of a fairly large pc repair outfit. The kvm switch is his personal login device, (I suspect he is login after hours and releasing his preinstalled Trojan/scripts, and then has his techs login via 3rd party remote access software to fix the "virus" after receiving the call for tech support) I have other evidence as well some physical.

 I am obviously not going to post the logs and discuss the other evidence here , but surely would like some advice and guidance, and if anyone could help me translate the logs I mean some are pretty easy but others not so much. ... (like event log was stopped)

Remember this is a fairly large company that is doing this to small mom and pop businesses, I most certainly want to help my friend, and would like to help the other people out there that this person is "possibly" doing this too.

Thank you in advance for taking the time to read and respond.

I have a hundred questions;

ExaMPLE: Can you trace a kvm switch point of origin? e.g. ip? location? etc?