A couple of things spring to mind.
1. Find out what a/v spyware protection they have on their machine. That would be my first port of call.
2. I don't want to worry you, but, asuming they have protected their machine, have you checked it's not malware that's got onto your site?