Issue 1: Look at your dashboard; you’re not logged in as an administrator, and as a result you don’t have the privileges and can’t activate themes or plugins.
With adminer or phpmyadmin, check your wp_usermeta table for your user and be sure the wp_capabilities key is for an admin: a:1:{s:13:"administrator";s:1:"1";}
Or, add a new admin via SQL:
INSERT INTO `*yourdatabasename*`.`wp_users` (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('999999', '*yourusername*', MD5('*password*'), '*yourfullname*', '*youremail*', '*http://example.com*', '2016-01-01 00:00:00', '', '0', '*yourfullname');
INSERT INTO `*yourdatabasename*`.`wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '999999', 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');
Replace *examples* with user name, real name, password (in plain text), etc. The user_id is set to 999999 to avoid collisions with existing user IDs.
Issue 2: Be sure you have carefully followed FAQ – My Site Was Hacked – WordPress Codex. You may not have done a complete job cleaning the hack. Then take a look at the recommended security measures in Hardening WordPress – WordPress Support and Brute Force Attacks – WordPress Codex