Assuming that you are talking about an uploaded image, it seems unlikely that the image is the source of the infection. Per Symantec, "Dialer.7AdPower is an ActiveX component that can be used by Web pages to download dialer programs, which may be used to access premium rate services."

I think it is more likely that this ActiveX control was installed by a web page visited by the user. Nevertheless, be sure your forum software, PHP, Apache, etc., are up to date - some exploits have used features like image uploads to take advantage of buffer overloads or other flaws. An unlinked image itself, though, shouldn't be able to infect a user.

I assume that you have tried doing what the user says he did and your AV software didn't sound any warnings.

This pertains to vBulletin but should answer your question.

The vulnerability is caused due to an input validation error in the image upload handling. This can exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site by uploading a specially crafted valid image containing embedded HTML and script code.

[secunia.com...]

I am running 3.5.4, this page suggests that the problem was solved in 3.5.1. Do you think it's still vulnerable.

You should be OK, but it wouldn't hurt to check. If you have only had one complaint and can't reproduce the problem yourself, you are probably fine.