I have a 3.8 site hosted by smarterasp.net and was experiencing slow responses then finally http999s came back after the hosters firewall kicked in.

They claim that a "mysterious" folder was created in the Root of the site called "CSS" and contained 2 viruses, which their firewall scanner picked up, then refused requests to the site. They have since deleted them but cannot give me details of them or the files they contained!!!
They also said the site was insecure as the root folder is Read/Write (which was set via their installer years ago).

My site is ssl and has the normal permissions (nothing modified) when you set a site up in smarterasp.net.

I am the only one with the control panel access and password, and the only one with the site nop admin password.

I did notice that my email queue was filling with spam from the contact us form, so i have enabled recaptcha on all user input now. it was previously only on register new customer page.

So my question are:
(1) could an exploit exist in order to create a folder and viruses in the site solely through using the contact us form?
(2) can the site operate with the root folder set to read only though the smarterasp.net copntrol panel (at present its read write).

I have a funny feeling that the hoster is trying to cover up a service issue and have lied to me which resulted in 24 hours downtime and i lost several customers, and are blaming it on the NopCommerce application.