As mentioned once xmlrpc.php has been used to hack in then all beats off. The first point of entry is xmlrpc.php
BTW: For those that have shell access you may run the following command to see if any files have had the function gpc_ added. Note the quotes you can change this to whatever you want. Simply log in and in your website home directory in shell run the following
shell> grep -r -i "function gpc_" ./
This command will print ANY files that have been infected. Note this will NOT work on Windows and hasn't been verified on all *nixes. It was used on Redhat Enterprise.