Words, Welcome. The answer to your question can be pretty complex.
It would be very helpful to know how the system has been comprimised. Has the intruder gained root access (to the operating system) or has an OpenBB vulnerability been utilized (or both)? What was the exploit? Check the logs and search for descriptions of OpenBB exploits. In the meantime, your friend should take the machine off line. In the end, it will probably need to be scrubbed and everything installed from scratch (after you've found out what hole to plug).