I'd suggest you start with http://www.ftc.gov/bcp/edu/microsites/idtheft/
I have enough assets I care about, so I did change passwords, invent a new mother's-maiden-name, cancel cards, put passwords on bank accounts... if I valued it and it wasn't guaranteed against fraud, I set fire to everything old a la Sherman's March: I left nothing behind of value. The tradeoff is going to hinge on what you have, and whether it is worth paranoia and your time, vs. worrying.
Yes, especially stored passwords or things you've used in the last 2 yrs (age of the exploit).
Yes, trojans and rootkits could allow file transfers. Odds are you were pwned and your computer's access credential data was bundled and sold and nothing more, but the odds of worse happening increases if you somehow caught their interest.
You won't know. If someone better than I was to spend a lengthy amount of forensic effort, we might get clues what happened. The odds are damn slim, though.
The way to know would be to spend far more than paranoidly resetting account data will cost on a forensics evaluation, with scant likelihood of finding anything out.
Don't freak out. So far, systems for botnets seem to be worth more than the personal financial data on these systems, but that's changing fast. I'd wager that you're not going to lose your fortune if you don't act, but I sure wouldn't take chances considering the alternative is a few days of phone calls and hassle. Just stop surfin' porn, use MalwareBytes antimalware (no, I'm not a shill -- it's free, I like it, I don't stand to gain by recommending it) or some other scanner regularly and take measures against anything you consider valuable enough to need keys reset and passwords / accounts changed.
My credentials: CISSP, SANS GPEN certs, 30 years of coding, security and admin experience. I'm merely a so-so hacker, but work with people that are world-class.
