>>Thank you. I have just sent a message to the site support if I can use non-alph-numberic characters in my password.
>>
>>Today I was doing more investigation and came up with another possibility. My site URL is very close (the same almost) with a Canadian rock group. I have a formal agreement with them (cost me dearly) to allow each other to operate. From their MySpace I just saw, they have tons of fans, teen girls and boys. Maybe somebody got upset that I am "occupying" their web site and wanted to pester me. It is possible, I guess. Anyway, I will be changing the password today and will be bugging Google to remove the warning message.
>
>Dmitry, I don't think you're taking this seriously enough.
>
>You got hacked. You don't know how you were hacked. Your website and the software stack it runs on is no longer trustworthy.
>
>http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx (old, but still totally relevant)
>
>At this point you have no idea what backdoor software may have been installed, any hidden administrator accounts that have been created that give the remote hacker/botnet complete control of your site and computer no matter what you do with your account/password, etc. etc.
>
>What happens next depends on your relationship to your ISP/Web host:
>
>- if you own and have complete control over the server (e.g. you're colocating or have a dedicated server) there's a good chance you'll have to rebuild your server from scratch
>
>- if your host is providing you a Windows/IIS/ASP.Net platform, and you're just supplying your site on top of that, your life is probably much easier. It's up to your host to ensure that Windows/IIS/ASP.Net are clean and patched, and you reload your repaired site after setting up strong passwords on any account you use to do so. You'll want assurance from your host that the software stack they're supplying is patched against current threats
>
>If your site starts serving up the malicious script again, because you didn't address the real cause of the hack, Google will probably blacklist you forever.

I appreciate your help very much. I am working with the hosting company to get my site as secure as possible. The hosting provider, DiscountASP, is usually very responsive. They have already elevated my support ticket to next lever support. At this point, from what I see, all I can do is:
1) clean up malicious software (I did that already)
2) change my password to a strong password (I tried but ran into a problem where they would no accept characters like _ or %; so I sent a message to the support)
3) apply to Google for reconsideration. This will probably take long time; my guess is that Google gets millions of these requests.
4) I will ask the hosting provider to monitor the site for malicious software or help me to determine if something is indeed installed on my site that will keep recreating the problem.