Since these infected users still appear to be upgrading to recent RouterOS versions, can the upgrade process look for non-Mikrotik binaries or other signs of infection and warn the administrator to netinstall? If there was a system exploit to run arbitrary code, simply removing socks and scripts and adding a firewall is not enough, as RouterOS does not allow admins to see all processes running on the router. A netinstall is the only way to be sure.
I highly doubt an open socks proxy or similar is responsible for DDOS as that means the attacker still has to generate the traffic elsewhere.