The assumption that a "paypal like thing" would work with this specific type of exploit is to mis-understand the operability of this trojan, as I Understand it.

This trojan permits the re-routing of traffic via a middleman but propigates the two factor information transparently through the middleman thus permitting you to authorize a transaction based upon a transitory factored ID, while modifying the actual transaction.

A scenario:
1. You are infected with the trojan.
2. You log in to your bank/financial institution.
2a. Instead of logging into your institution via SSL you are instead logged into the malicious clone site.
2b. The malicious site then establishes a secure connection to your institution via SSL.
3. You enter your second factor, such as a token code, or one time key.
4. The trojan captures the key unencrypted as you enter it (keylogger), and reenters it on the malicious connection to your bank.
5. You enter a transaction.
6. Due to the trojan/malware installed on your system, the unencrypted key has been provided to the malware site, it then uses the valid One time key to validate the connection to the actual site, thus being validated as being you.
7. They can carry out any transaction that you are allowed to do.

As this type of attack is not usually IP specific to the originating IP address of the client; which would lock down your transactions to a single staticly assigned IP address; it would work. In our massively portable world, tying a user to a specific IP is not viable, so it is up to the client to ensure the security of their own systems, through FWs/anti-malware/virus detection, and due diligence.
If your hosts file in %windows%\system32\drivers\etc folder has any information outside of your local network, it has probably been modified.

Taken to an extreme, even biologic type second factor information could be pulled from an infected system.

So, as a client/user:
1. Never click a link in an email, always open the page by typing the url.
2. Only trust truely trustable content.
3. Don't turn off UAC, and don't just click through.
4. Keep your protection up to date.
5. Most banks in the US do not even require two factor authentication, so it's even easier here than in other countries! Keep an eye on your assets.