Spam inc.php found in wordpress site

Hi

I am using WordPress 4.0 with Active Plugins: akismet/akismet.php,all-in-one-favicon/all-in-one-favicon.php,all-in-one-seo-pack/all_in_one_seo_pack.php,ap-gravatars/ap-gravatars.php,better-wp-security/better-wp-security.php,bm-custom-login/bm-custom-login.php,broken-link-checker/broken-link-checker.php,bwp-google-xml-sitemaps/bwp-simple-gxs.php,exclude-pages/exclude_pages.php,far-future-expiry-header/far-future-expiration.php,flexi-pages-widget/flexi-pages-widget.php,font-uploader/font-uploader-free.php,fv-gravatar-cache/fv-gravatar-cache.php,google-analytics-for-wordpress/googleanalytics.php,google-language-translator/google-language-translator.php,image-widget/image-widget.php,jetpack/jetpack.php,link-library/link-library.php,link-manager/link-manager.php,maxbuttons/maxbuttons.php,nnd-custom-gravatar/nnd-custom-gravatar.php,orderli/orderli.php,php-execution-plugin/php_execution.php,pie-register/pie-register.php,revision-control/revision-control.php,search-and-replace/search-and-replace.php,twenty-eleven-theme-extensions/moztheme2011.php,ultimate-tinymce/main.php,wordpress-form-manager/wordpress-form-manager.php,wordpress-importer/wordpress-importer.php,wp-invoice/wp-invoice.php,wp-special-textboxes/wp-special-textboxes.php,wp-super-cache/wp-cache.php,wptextresizecontrols/init.php

My email was suddenly receiving hundreds of ‘Undelivered Mail Returned to Sender’ emails. After some investigation I discovered a few minutes before the emails began there was a file created in wp-content/plugins/php-execution-plugin/includes called inc.php which was sending the spam emails.

How do I find out how inc.php was created?

How do I prevent other simular files being created?