is it possible for him to access admin control or my host's main root?
if so, how can you figure out if they can? and any suggestions?

What access exactly have you given them so far? And are your passwords the same for every area of access - your admincp and your hosting account?

Thanks Lynne, my admin account and hosting account have a different passwords. and he insisted to install the developed script on my server directly. so I created ftp access for him. that's about it.. that ftp access is no good anymore I deleted it. Also I changed the values in the config.php such as database name, user, and email address to notify DB errors and so on.
only one thing that bothers me is that he installed bunch of plug-ins and mods for me including his product and his products are ioncubed.. so I don't know if he put a whole in there.

I would be wary of installing code on my website that I could not see.

That was my mistake.. I admit.. but he kept insisting. Thank you very much for your consolation though. Please advise me if there is a way to figure out if there is any whole in my website.
I am not worried about him hacking my password as I use different passwords for most of everything. but my site deals with money and transactions between people so.. anyway, thanks a lot. you really are the best :) Seems like I get more help from you then my former developer who was supposed help me with the bugs he created.

Check in plugins and products if there's anything related to private messages - he might be spying on your members, as you said it's related to transactions.

Also compare your php files with the original ones (download from vB.com) using Notepad++ or any other similar program. If they don't match, they have been modified.

If he had FTP access he could have uploaded a script anywhere to give him complete access to everything.

The only way you could be very sure is to delete all the files everywhere on your site and re-install.

Then in vBulletin (the info is still in the database) either manually check every single plugin or just uninstall every product and re-install only what you need. (and can confirm is from a trusted source.)

Check also the ftp logs. There you can see what he did at your server space.

And go through your access_logs to see if he he accessing some hidden script.

But, to be honest, I would uninstall those ioncubed products and tell him I want them in code I can see.

There could be a PHP Shell which will allow him to do pretty much anything he wants even look at httpasswd files etc..

So Check everything out before allowing people on. also theres a program called "TeamViewer"

www.teamviewer.com

Which allows people to remotely access your PC if you give them a password.

You can also cut them off when you want and change password. I Recommend using that and let them install what you can see ;)