I had a flickr account. One of the registered users of my account was infected. The hijacker used her username to post about a dozen babe's related graphics on my site beginning in Feburary.
I didn't review the site until last week. From my homepage I saw the thumbnails, which I took to be spam. I didn't view the files, but just used the checkboxes to delete them.
This user had a daughter that was a member of my daughter's cheerleader squad last fall. There was politics going on which my family had nothing to do with within the sanctioning body. I assumed she spammed the site as some kind of retribution.
I emailed her reminding her that I had nothing to do with the problems and had set up the flicker account as a service to the kids and parents so we could all share our pictures of the kids doing their thing.
The next day when I checked my privoxy log instead of localHost or 127.0.0.1 the header said "...privoxy on firstname.lastname@example.org"
running netstat at the command prompt shows at least 4 active connections to email@example.com and sometimes dozens of connections waiting to become active.
netfxsl.log shows shadow launcher executed within .net and registry entries hidden, as well as a taskbar icon hidden.
A google search for firstname.lastname@example.org only shows references to babe.the-killer.bz, and a few other variations. None with the @ symbol which would log a user into the-killer.bz as babe.
A search of your site for same only delivered me a message suggesting i intoduce myself.
*~ Mod Edit - Topic moved to a more appropriate forum - rigel ~*
Edited by rigel, 23 April 2007 - 03:27 PM.