First, change your password.
Why would you change the password before doing AV scans and such to determine the root cause of the problem of someone getting unauthorized access? If you don't know what the cause is, then changing the password may be futile because something like a keylogger or packet sniffer would pick up the change and you are no better off.

Eliminating the threat would be first priority, IMHO, and determining the source and extent of the threat before putting in fixes/safeguards.