You need to find the application that is vulnerable to injection (you can use profiler to see the commands coming to the database)
There isn't a quick silver bullet on this. You need to find the vulnerable pages and fix them. Change SQL statements to parameterised rather than built up. Restrict the app's permissions to not allow it to directly acces the tables but to use stored procs.
I would suggest that you drop the publication in question and recreate it.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability