When you changed your password last time, did you do so from a non-compromised machine?
You MUST ensure;
1. Passwords are changed from a non-infected machine
2. No shells were placed on the server by the attacker, to let them back into the site even if they can't get the current FTP password
3. Any files on your server that allow user input (e.g. via forms), are using proper sanitization to prevent injection and the like, for example, if you currently use;
$email = $_GET['mail']
Where GET is either GET for querystrings, or POST for post method strings
Is Changed to;
$email = $_GET['mail']; $email = addslashes(htmlentities($email, ENT_QUOTES));
And ensure use of mysql_real_escape_string if you're using MySQL.
Just a note, the best way of ensuring #2 is to delete all files currently on the server, and uploading a clean copy from a backup (assuming you have one), and again, uploading them from a clean computer (otherwise all they'll need to do is wait for you to connect to your sites FTP again, and sniff the password again).
You should also ensure ALL passwords are alpha numeric with special characters, and do NOT use full words (e.g. "m$98'$"kjh£$KJ" instead of "mydoggy8ate0my2breakfast"). Password crackers will crack passwords with full words in them, in a matter of seconds/minutes usually.