Andem - 11:36 pm on Jan 16, 2013 (gmt 0)
Based on my experience, I would like to suggest that this sounds more like a service vulnerability than an issue with a PHP contact form, especially if the .htaccess file was edited. If it wasn't edited and just appeared/overwrote your old .htaccess file, then the contact form sounds like the likely culprit.
If your site really is only 5 html files and a contact form, I urge you to immediately move to a new host with a solid reputation. I'd also suggest getting rid of the contact form and find something you can confirm is not currently vulnerable as a replacement if need be.