After moving the vulnerable version i cleaned all suspicious setings in RoS (firewall filter, schedule, ip socks).
But now, ther are thousands entrys in IP-Socks-Access, and when you try to access IP Socks router stuck at 100% cpu,
Is there any chanse that Mikrotik make an upgrade version that will automaticly remowe that socks access entry?

What to do, routers are miles away?

I'm afraid that only sure way to clean malware from hacked routerboard is to perform netinstall ... for that physical access is a must. And, after you do it, don't restore configuration from backup, malware might be hidden in it. Rather re-do configuration manually (output from /export command can be valuable reminder, just don't copy-paste any configuration commands you're not 120% sure you know what they're doing). In particular, default firewall is a really good starting point, build on it rather than replacing it with your own old firewall config as it might have been primary reason for your router being hacked in the first place.

when you try to access IP Socks router stuck at 100% cpu,

How do you "access IP Socks"? Are you trying to use the IP socks service as a client? Are you opening the IP > Socks > Access window in WinBox? Are you printing the entries in Terminal?

The most simple command to remove all entries is, in CLI (WinBox/WebFig terminal, SSH or telnet):
And give it some time (minutes) to complete.

Please do not post your question in multiple topics.