This seems to have worked for me on a supposedly SQL Injection-proofed ASP website that was being attacked; hopefully it will work for you.

- Clean the data; restore from the last known good backup.
- Immediately set the database properties to Read-only=True (right-click the database name in SQL Server management studio, select properties, edit the Read-only property, save the settings).
- Examine the IIS logs, searching for the domain that is showing up in the malicious script statments (in my case, dota11). The lines in the IIS logs that contain the script statement should point you toward the ASP file that is vulnerable.
- Fix the ASP code. In my case, a request variable was being directly used by the code without being checked, and that is how the attack was inserting the malicious script. I added a call to InStr(UCASE(requestVariable),"SCRIPT") to filter out any values containing scripts.
- Re-enable the database to Read-only=True after being reasonably sure that the ASP code is no longer vulnerable.