On New Year’s Day, Robert Epstein woke to nine e-mails from Google. His Web site had been compromised by hackers, Google informed him, and until Dr. Epstein, a psychologist, cleaned up his site, Google would warn any would-be clickers to stay away.

Their ensuing exchange offers a glimpse into the frustrating nature of Web site infections, which are increasingly widespread but hard to diagnose and cure. Dealing with them, or even dealing with an Internet giant’s claim that it has spotted one, can cause even the most sensible people to throw up their hands and seek court injunctions.

Dr. Epstein, a former editor in chief at Psychology Today, says his Web site, which offers free interactive mental health screening tests, can draw up to 5,000 visits a day. Now, four days after Dr. Epstein first heard from Google, a search for his site yields the digital equivalent of a skull and crossbones: “This site may harm your computer,” Google warns. Click on the link and another message pops up. This one does not mince words: Dr. Epstein contacted his Web host and Google. The former could not find any evidence of malware but reset his site’s configurations anyway. The latter would respond only in boilerplate. So Dr. Epstein responded to Google’s e-mail, this time copying Larry Page, Google’s chief executive; David Drummond, Google’s legal counsel; Dr. Epstein’s congressman; and journalists from The New York Times, The Washington Post, Wired and Newsweek.

Google responded to Dr. Epstein (and the journalists), telling him that it had re-scanned his site and had found it was still infected and still redirecting users to a site known to host malicious code.

“Anyone with a hundred dollars and basic computer skills can use these automated tools,” Mr. Harrison said. “They’ve lowered the barrier to entry, and they are getting harder and harder to track down.”

Hackers have become so adept at covering their tracks, Mr. Harrison said, that it’s getting more challenging for Web host providers and even skilled security researchers to track them down.

I've had this happen to me with one of my client's sites in the past. After visiting it with several browsers with no ill effects, I thought surely Google must have made a mistake. It was only after I poured over the raw source code that I found subtle malicious code injected into the site. After removing the code, I put a request through Google's Webmaster tools to re-scan the site, which they did promptly and removed the warning.

According to the article, Dr. Epstein's entire "cleanup" process can be summarized by contacting his host, and having the configurations reset. Well, this will do less than nothing if there's malicious code in the database (which is the most common scenario). He's surprised when Google didn't remove the warning? He probably didn't fix the problem!

Unless you've had a developer comb through the markup of your page, it's best to give Google the benefit of the doubt. They know what they're doing.