JF> the address that my DNS was changed to was, which
JF> is different from the used in the Hosts file.

That should come as no surprise. The former was where the attacker intended
to provide his/her own proxy DNS service to you, publishing name->address
mappings of his/her choosing; and the latter was part of one of those very
mappings, directing you to where the attacker intended to provide his/her own
content HTTP service (amongst others), providing web pages of his/her choosing
and impersonating other entities.

This ploy has been well-known for years. The only novelty of this attack, if
there can be said to be any at all, is that someone found a means of having a
large number of people execute the trojan unwittingly.

And, of course, one question that affected people should be asking themselves
is why they were running Microsoft's Internet Explorer under the aegis of a
user account that is allowed to reconfigure their machine.