reaper111 I agree that those would definitely be a cause for concern and likely the vulnerability was exploited.
I have to apologize here, though, because I am not (and most folks on this blog will not be) a specialist in tracking down stuff that has been done on a machine that might have been compromised. The difficulty here is that payloads could be different (see my previous comment about what happens when vulnerability goes public). It is therefore impossible to give prescriptive guidance on what to do if the server was in fact compromised.
My opinion (read that as you will) is that if I had a personal machine that had malware on it, I would flatten it and start over. Personally, if that happened on my server, I'd be moving mailboxes off it and gracefully decommission it from my organization. All of that would be done AFTER all my servers were updated for the vulnerability. Unless you have a highly trained specialist on site who can track down every possible part of payload that might have been delivered.
Also, roll all of the Admin credentials.