When I was hit late last year the bloody thing (wasn't haxdoor) re-installed itself all time because the initial infection came in form of .cab files, which are self-extracting sorta-ZIP-files, and my AV software couldn't read their content, so they remained on the hd until I removed them manually. The day before yesterday I was hit by some java trojan which installed itself in a .jar file - another self-extracting compression, and again missed by my AV (and firewall!)
So: keep eye on the error reports from your AV *, and do a housecall or two at
http://housecall.trendmicro.com/ - and then manually (best in 'safe mode') drill into the directories where the AV found infections and delete all compressed files [if you want to be careful only delete the ones with names similar to the virus/trojan files].
*= you might need a piece of paper to write down all files and their location
I'm now 98% clean, just that somehow my svhost is playing up from time to time (~ once a week), and bloody XP refuses to re-install it from CD...