Changing the Salts and Auth Keys is really good. Also, having looked at the script in social.png, I've decided to add this to my wp-config.php to prevent it from running again:
define( 'WP_OPTION_KEY', '');
Then removing the social.png file should have covered everything I guess.
Any other ideas or suggestions are welcomed.