Tangentially: The easiest way to deal with htaccess on your local machine is to save the file without the leading . and simply insert the . when uploading. Then you don't have to face all that clutter every time you open a directory. (My own compromise is to have the text editor show leading-dot files, but the OS as a whole doesn't.) This also keeps the distinction between the "real" htaccess, intended for one specific site, and the text document you're editing. There is little relationship between, for example, the stripped-down .htaccess in my MAMP directory and the two real ones on the live site.
Getting back to the original issue: If your htaccess has been changed, then uploading a new clean one will not do an iota of good, because you haven't done anything to prevent your Russian botrunner from doing the same thing again tomorrow.
Did you find anything useful in logs?
The host should have responded to any questions yesterday. Or possibly last week. Site hacking is, or ought to be, the absolute top-priority question since it could bring down the entire server. The hackers may not care about your own site at all; it just provides potential access to all the other sites living on the same server.