I ran these two commands in our production server
DENY SELECT ON sys.sysobjects TO public
DENY SELECT ON sys.syscolumns TO public
>>I just recently dealt with this on some software my employer had purchased from a third party vendor years ago. I cleaned the tables too, but the next morning all the values were back. There are programs that will try to automatically execute the code on your site over and over again.
>>
>>I set up SQL Profiler to trace what was going on. Once I saw what they did, it was very simple, I modified two things. I denied select permissions on the sysobjects and syscolumns tables of the login that was using the site, and then I found the web page they were using and validated the parameter being passed in via the url - because they added a long string to the end. This prevented it from actually hitting the database at all.
>>
>
If it's not broken, fix it until it is.
My Blog