The verdict is in......The powers that be do not want the press or the help of the government. So the decision handed down to me has been to prevent and preserve.
I am going to start with the suggestions made by JP regarding the router, I am going to have all admin passwords and hardware passwords changed for any admin accounts, I am then going to move to the Exchange Server and work to validate the accounts. I will also setup a sniffer to monitor open ports and log traffic on unusual ports.

Ok folks this is what I was afraid would happen.....Any other suggestions on the next steps to take. I am going to work from server to server once the perimeter is checked.