The infection appears to be in the Gzip file on the main landing page. That would be a good place for them to start