4. Other information
Loss may not be limited to passwords; depending on the malware in question, potentially any information entered, stored or processed on an infected computer may have been disclosed to an attacker. Information may have been stolen from online services if the attackers have gained access to the password for that services.
Online banking sites commonly use more than just a single password to authenticate users, but these days malware is extremely sophisticated and able to capture any additional information you supply when logging in. This may include a password or code number from which you enter only certain letters or digits (over time, attackers can capture the full passcode), personal information such as your date of birth, favourite colour, mother's maiden name. If you have made any online purchases, credit card details have likely been captured along with expiry dates, CVV codes and passwords for authentication systems such as Verified by Visa or Mastercard Securecode.
Please also be aware that seemingly harmless personal information may aid attackers in getting control of certain accounts even if you have changed your password. Many sites these days allow you to reset a password by supplying certain personal information. For instance, OUCS use date of birth, University card barcode and a "security question" of your choosing. Many users have chosen to use simple questions such as their mother's maiden name or their dog's name for their security question, in spite of OUCS's advice not to do so. Such questions may be trivial for attackers to answer from other information they have captured; other questions such as "favourite colour" can be easy to guess.