Mikrotik routers recently came under attack some time ago. An exploit was found to gain administrative access to them and would link them to a larger botnet network. The below will potentially help in removing the intruder and disable the security hole used by them to gain access. You should also upgrade the router to the latest available firmware

/sys backup save
/ip socks set enabled=no
/sys scheduler remove rsched1_
/sys scheduler remove schedule3_
/sys script remove script3_
/sys script remove rscript1_
/file remove mikrotik.php

Disable the services which are not required, only winbox allowed
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes

Commands explained – 

First we take a backup, then disable the ip socks feature. We remove the maliciously scheduled tasks and scripts and also remove the un-needed mikrotik.php file. Lastly we are disabling all the services which shouldn’t need to be activated on the firewall/router.