Going a bit to the extreme, someone can find the current tcp/ip session that you have with the AOL server, actively hijack it, emulate you still sending/receiving messages, and go from there.

There are always extraneous cases, just becuase you have no 'software' installed on your computer from somone else doesn't make you secure. As previosuly mentioned a legitimate application such as remote desktop could be used against you.

As a short answer, yes, it is very possible for someone to do anything to your computer without first putting software on it.