I would be happy to take a look at your server environment and see if I can pinpoint how deep the virus penetrated. If it's a recurring problem, it could be a permission problem or a vulnerable script you're using, but I think it's more likely that the initial virus left a backdoor open to give your hacker access. If you're only hosting one site on this server, then it should be a relatively easy find. If you're running multiple sites, though, the vulnerability could possibly exist on a different site. You need to do a search through your site's folders for any Base64 encoded files, because these are usually left behind when there's a breach as the result of a website vulnerability. Any databases that serve content also need to be checked in case your vulnerability might have been exploited with an SQL injection attack. If your database dump is suddenly larger than before, this is a very real possibility.
Of course, without access to the hosting environment it's difficult to say for sure.
I manage approximately 80 websites on a 3-server clustered environment that includes some religious organizations and government entities, which tend to be high-value targets for hackers. I've become quite adept at tracking a hacker's steps and keeping them from returning.
Let me know if I can be of assistance. Thanks for your time.