Hi @ffooteli
You probably don't want to hear this, but this is very common.
Two of the more common contributing factors:
1 - You have a backdoor you haven't cleared yet. The infection you cleared, doesn't mean you cleared the backdoor.
I'd recommend blowing away the core install, and pushing a fresh copy.
I don't know much about your environment, but if you have more than one site on that server, all within your account, you could be suffering form cross-site contamination. Regardless, the attacker most likely has a backdoor on your server allowing them to bypass your access control mechanisms.
Understand however that this doesn't mean it's a server level issue, it could be an issue in your account.
2 - When you say you changed the passwords, did you include all of them to include SSH / SFTP / FTP / CPANEL, etc..?
The more common mistake we see is a user clears the WP-ADMIn but forgets everything else.
Also, did you clear your salts / keys? If you change your password, but leave your old salts and keys, anyone that is still logged in won't get booted.
Food for thought...