If the files stopped appearing 3 months after you removed the contact form then it's very possible that it wasn't the cause of the issue.
There are firefox plugins to manipulate inputs of forms, you don't need an input-file tag to put a file in there, but those files would eventually end up in the server temporary directory (not in your http public directory). So if the OP says he's sure there are no upload mechanisms, there must be something else. Maybe somebody stole your FTP password? Check in your control panel or contact your hosting, they probably have an access log.
As for your question in the first post of how to create safe upload forms:
1-I suggest you reading this article:
http://www.acunetix.com/websitesecur...rms-threat.htm which gives some advice on the main security issues when doing uploads.
2-check this php class:
Safe Upload. Which takes care of some of the issues mentioned by the article. It allows you to do uploads and also performs several validations according to how you set it up.