1. In any Google search box, enter: site:yoursite.com
2. Note which pages have the warning flag. Usually, it's all of them, but sometimes it's only one section, such as the forum or blog, which tells you where to focus most of your attention.
3. Click the search results link for one of your flagged pages. Instead of going to your site, it will take you to a Google "interstitial" warning page.
4. On that page, follow the link to the "Safe Browsing diagnostic page" and study it. Another way to get to the Safe Browsing diagnostic page directly (you can check any website this way) is by entering this URL into your browser address bar. Replace EXAMPLE.COM with the address of the website you want to check:
Detailed instructions for how to understand the Google Safe Browsing Diagnostic report have been moved to a separate page.
5. Go to Webmaster Tools at Google Webmaster Central. If you don't have an account there, create one. It's free. They show the badware status of your site, help information, and a partial list of the pages they consider suspicious.
6. Look up your site in the StopBadware Clearinghouse database.
7. If Symantec's Norton Safe Web has found malware, their report shows the locations (filenames) of the threats more completely than the Google and StopBadware reports.
8. Scan pages of your website at UnmaskParasites to find hidden iframes.
9. Scan pages of your website at Dasient.
10. Do a web search on each of the domain names and IP addresses mentioned in your Google Safe Browsing Diagnostic report as being the sources or intermediaries of the malware on your pages. Some of these website names and IP addresses are associated with specific types of attacks. For example, if the domains mentioned are gumblar or martuz, it is certain that a virus on the PC of one of your site administrators stole the FTP login information and used it to hack the site, so you must do virus scans. On the other hand, if the domain is beladen, you are facing a server-wide compromise, not just an ordinary attack on your one website, so you must notify your webhost. These domain names can give you good clues about what is wrong and save you a lot of time if your search is successful.
Now that you have preliminary information about which pages are affected and what seems to be wrong with them, you can start searching for bad code. Some of it might have been identified in steps 9 and 10 above.
