One more thing.. It was suggested to me to register a new domain, develop a new site and see how things go. Then get rid of the old site once the new domain starts doing well.

Test your site here:

[google.com...]

Just append your site/its domain to the end.

Answering your questions one by one (I'm not an expert at these sorts of things, but I'll try to help):

>> My first question is whether Google will de-index a site due to XSS?

Yep, I think they would. I'd imagine that Google would pick-up on this.

>> How long will the re-indexing take?

Once you are 100% sure that all the malicious code is removed, fill in a Google reconsideration request:

[google.com...]

>> Would moving a site around 3 or 4 times possibly have the de-indexing affect?

I doubt it; people (especially those on shared hosts) can sometimes move hosts fairly frequently. Still, I'd try not to move anymore since (to partially answer your next question), I doubt that Google would blacklist an entire server.

>> How can I check whether the current server where it is hosted is possibly black-listed?

There's no easy way as far as I know. One thing you could try is to find your website's/server's IP address (ask your host if in doubt), then search Bing for:

ip:[server IP here]

And this will give you the sites hosted on your server too. If they are all really spammy and blacklisted, this might be a reason. Although to be honest I doubt it, since Google would (I imagine) know that good sites might move to a new host which might have some bad websites, etc.

>> Lastly is there a way to see if someone purposefully deleted our results from Google - is this kind of attack possible?

Nope, I wouldn't imagine it's possible. Assuming your robots.txt and all doesn't block the search engines, I'd imagine that it's the XSS code that is the cause here.

>> Register a new domain

I'd personally try the above first and foremost. I.e., ensure there's no XSS, check via the Google safe browsing tool, then submit a reconsideration request.

Starting again would take months (to start building SERP strength again) and it's hopefully not necessary. Do this as a last resort :)

Thanks for all your answers, tristanperry.

Here are the results from the link you provided:

What is the current listing status: This site is not currently listed as suspicious.

What happened when Google visited this site: Google has not visited this site within the past 90 days.

Has this site acted as an intermediary resulting in further distribution of malware: Over the past 90 days, ... did not appear to function as an intermediary for the infection of any sites

Has this site hosted malware: No, this site has not hosted malicious software over the past 90 days.

The SEO guy told me that they already submitted our site for reconsideration, but they only noticed that Google had not indexed the site about at week ago..

With regard to your comment

I'd personally try the above first and foremost

I found that a bit ambiguous - thought you were suggesting that I "Register a new domain" first, but I see you mean otherwise :)

Thanks for taking the time to comment.

Good to see Google haven't picked up on any malware. It is odd then, although it probably still is due to the XSS attack (thinking about it now, XSS and malware are technically different, so maybe Google picked up the XSS but simply don't report it via the malware checker or Webmaster Tools)

I've read that reconsideration requests can take several weeks (if you Google "How long do reconsideration requests take?", you'll see some links which Google employees have answered this question), so for now I'd probably just wait a bit. Try adding some fresh content and getting some new backlinks, but don't worry too much yet.

If in 5-6 week's time your site still isn't back, then consider registering a new domain and moving things over.

Best of luck :)

Would moving a site around 3 or 4 times possibly have the de-indexing affect?

Well actually yes it would. Why? If not done correctly how does Google know were the site is. What I mean is lets say your site is on IP 67.55.55.55 and your move it from that ip to the next ip. If you didn't leave the site up on the last ip until the DNS had completed the net, but just moved the site to 124.33.333.33 Google would hit 67.55.55.55 and get nothing. Now Google bot picked up 124.33.333.33 ip address and again the site is moved yet to another ip so you see the picture.

Now if you retained the same IP then that is different, but from the read this is not said.
I would go back and see what was done from the first move to the last and how it was done. Was the site left up on the old server to make sure the Google Bot had picked up the change in each move if the ip's changed. If the ip never changed then this isn't an issue if they did then it could be if the steps to move a site are not followed correctly.
[mattcutts.com...]

Agree with bwnbwn if the IP changed. I've seen situations where it might take Google a few days to a week to sort out new sites or moved sites. It doesn't happen that often, just often enough if you're looking for it.

I've seen it most often on shared IPs where G might serve results for one domain from a different domain. Less often I've seen it get confused when a new site is assigned a recently used static IP.

Ok that makes sense, thanks. So, once the site is reconsidered, will our old rankings kick-in or must we start from scratch?

Is there any way I can get confirmation from Google that this is the reason why the site is missing from their index?

So, once the site is reconsidered, will our old rankings kick-in or must we start from scratch?

Not usually in this kind of situation.

Is there any way I can get confirmation from Google that this is the reason why the site is missing from their index?

No way to make it happen that i know of. It has happened in a few cases, but they're rare.

bwnbwn, I see your point. So if sites are indexed by IP, what about virtual hosting ?