Lots of voodoo and "I know that..." stuff in here.
Firstly, it is possible to have exploits. I am not overly sure how vulnerable things are to them anymore - essentially a file is identified as a type. They pretend to be one type, but are another, and contained code inside which whilst your browser (or OS, or whatever) was dealing with it would result in having quite different behaviour. Most vulnerabilities were plugged. However, here's an example (using mIRC client).
http://www.pandasecurity.com/usa/homeus ... ticia=3189
So yes, it is possible. Highly improbable as I imagine these sorts of things have been fixed up
years ago.
Secondly, yes, anti virus should pick up most attempts in the event they do somehow "infect" you - but even so, there are % success for picking things up. Nothing is 100%, even at 99.99% - when they test against 500,000 viruses/malware etc, that still leaves you 50 being undetected.
But beside all that - do you know how many computers don't have any protection? It is depressing to know most are computer users are f'kin retards. Same reason why they mass mail those ridiculous "you've won the lottery" or "rich Nigerian has died..." things. There's always
one which makes it worthwhile to do this...
I'm fairly sure that in a busy room there are several who have zero protection on their computer (they may be arrogant, or stupid, or both).
As for MSE - I use it, and it has
great detection rates for rootkits amongst free anti-virus offerings. It is resource light, a bit slow, but good overall for a free product. I would go for a paid one, but only when I upgrade my rig to be capable of dealing with everything - however, there is not much to be gained from paid over a good free solution. Indeed, many free solutions are better than the paid solutions offered by big companies. One that springs to mind is Comodo's firewall with Defence+ . Whilst I wouldn't ever use their antivirus (it was awful at first) their firewall with defence+ is brilliant. However, it pisses the hell off out of most users.
Bottom line - keep windows up to date, install anti virus (if you don't trust MSE, then I suggest Avira's free Anti-virus above AVG or Avast, but they're both good too), a firewall (if you don't trust windows own firewall, then go for something more robust with real time monitoring of processes and outbound connections - such as Online Armor or Comodo - although you may get pissed off with their real time monitoring). You can also get secondary scanners such as Malwarebytes Anti Malware (Free) too, and scan once a week.
Anyway, could this person have made the program he claimed? Unlikely. Extremely unlikely. For
many reasons. What you currently have are people now coming up with ways he
may have been able to achieve it. The most likely answer to all this is "stop searching for explanations when the simplest is that it's a straight forward con with zero effort".
He sucked a few in - why? Your paranoia.
You are paranoid, and you wish there is this magical way to prevent something. You want to believe... that's the biggest reason. You are searching for a solution, you want a solution.
He comes along with a magical solution, it's cheap... and it'd fix your problems. Whack in the usual voodoo chit chat and you're sold because you
want to believe it.
As long as he feeds you some plausible bullshit you'll fall for it - because you
want it to be true (and likely you don't really understand how things work).
Lets be honest, if he said he wanted 2 hours of skype sex show per month you'd probably become suspicious - but because there was payment, it somehow adds legitimacy in your mind...
Most cons are simple. Stop trying to find a complex, extremely technical/skilful explanation. It's just a plain old con.
Some fell for it - does it mean they're stupid? No, not necessarily. Just like avoiding the scam doesn't make you intelligent either.
It means they were vulnerable. Vulnerable and trusting.
It's the internet, don your tin foil hat and be sceptical of
everything
*edit* Paranoid is a bit strong. You are worried, maybe scared.