Static html/css/spry website hacked

Hi,

We ave an existing web site that has been up for 5 years. I built a quick draft website from a free template about a year ago. I put it up on the paid server in another directory for my friends at the organization to review, but it languished as they are a busy non-profit with few staff.

Got a notice from the hosting company 8/29/13 saying the site had been hacked, and Google flagged it as unsafe. (We are pretty sure this was not a random attack, as there has been some dramatic breakup at the organization, a strong possibility that passwords were compromised and one of the jilted is a self-proclaimed hacker---I'll spare you the details).

Went to site and MSE immediately picked up and deleted (4) instances in template site .html files of:

Exploit:HTML/IframeRef.EX​

Took the site down and downloaded the Dead Files into a directory on my computer. MSE immediately deleted 4 .html files on the draft, and other scans found the html on the non-draft server pages had also been hacked. Virus scans on my computer deleted all the html files I had downloaded from the server, so I couldn't view the code even if I knew what I was looking for.

Google Webmaster tools reports this a piece of injected code, which I know was not in my original upload to server (edited
for safety in this post, took out < >):

iframe src="__________.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"​

I compared the files downloaded from the server against the backups I keep on my computer, and found one randomly numbered
.txt file, two new .php files, a new php directory, and a transparent.gif file.

This thing runs on spry, html, & CSS, and is a static html site with encrypted PayPal buttons. I speak HTML and CSS just
fine, but no idea on java & Ajax. I only build static pages, using DW CS3.

I have changed UN & PW hosting user account, FTP, PayPal, email accounts. I will generate new PayPal buttons for the rebuild.

I have the list from Virustotal.com that shows infected pages and infections. I rebuilt the pages and have checked them by
upload against virustotal.com service -- all are clean.

My computer was infected, of course, but is now clean according to chaslang at MG malware help forum (THANKS!!). I changed
all passwords again after clean logs result.

I have rebuilt the pages and validated against W3 validator with 100% valid results.

My questions are:

1) is there something I put into the header or somewhere else in the HTML documents to prevent this happening again?

For example, I found this code at OWASP.org, but don't know if it is for the server, or if for the document, where/how to put
it in, or even if it would work. We occasionally link out to other community groups, and to https: at Paypal for online donations (encrypted using PayPal generated buttons) btw.:

x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block​

2) I inserted this piece of script into the new build and tested it in a browser, it came back exactly as "CSS Vulnerable"
with no corruption. Does that mean I am *not* vulnerable? (put it inside <!-- //---> so as not to run here)

<!--

<script>alert('CSS Vulnerable')</script>
<img csstest=javascript:alert('CSS Vulnerable')>
&{alert('CSS Vulnerable')};

//--> ​

3) Can anyone with some knowledge look at the files I would like to upload for HTML, CSS and Spry and tell me if they are
vulnerable? Or point me to a trusted tool that will?

Don't want to dump a lot of files here without permission.

Any help is appreciated.
kpduty