No Wordpress file should ever be 777; the maximum permissions are 755 folders, 644 files. See Hardening WordPress « WordPress Codex.
Your hosting account - probably inexpensive shared hosting - is probably the hack vector. Tell your host; possibly find a more secure host. Change all passwords. Scan your own PC.
To completely clean your WP install and hosting account, see FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress.
