I've reinstalled on my root partition, as advised. Thanks for your advice. I do think that they were just trying to do a quick transfer that would be associated with my IP rather that their own. That seemed to be their purpose, rather than messing up my system pointlessly. Or might a keylogger have been installed?
Dunno - anyway, I have reinstalled; switched off VNC and its ports; and installed and configured fail2ban. Hopefully, I should be reasonably safe now!