Locking a Windows computer with Windows+L simply prevents the physical user from interacting with any of the processes running within your user. Any processes you have open in your user continue running and this is why you can download a file and lock your computer, and it will continue downloading while your computer is locked.
Teamviewer interacts with Windows as if an extra keyboard/mouse/monitor were plugged in. This is why anything seen through Teamviewer is the same as what the physical person in front of the computer would see. Other software, notably Remote Desktop, interacts with your user session directly which is why you can log in with Remote Desktop even when the computer appears locked to a physical person sitting there.
If you lock your PC, most forms of remote control become more inconvenient for the attacker but you're certainly not completely safe. Teamviewer may still transfer files as Martin Fürholz mentioned. If you want to be certain nobody can use your machine while you're not sitting in front of it, your best bet is to disconnect the computer from the network, hibernate or shut down. On sleep, you should be safe but it depends on your settings. Some programs can wake up the computer and exit sleep, but your computer should disconnect from the network so you avoid the Teamviewer-style attack. You can configure Windows to stay connected to the network while on sleep, and in this case sleep doesn't protect against remote control attacks.
Since in your case you didn't have TeamViewer installed, you should probably be quite concerned about possible malware because if the attacker had the necessary privileges to install Teamviewer, they may have done more than just Paypal. Resetting the PC (ideally with fresh install media) is the best solution there.