[Joe Forster/STA]

I downloaded h4x0r's Alice: Madness Returns, Fable 3 and F.E.A.R. 3 trainers, both from Sicheats and GCW. The files in the packages for the same game are identical, except an extra promo video in one of them. Conclusion: There is no difference whether you download h4x0r's trainers from Sicheats or GCW. (Apparently, Empire's manual upload filtering works fine.)

I've checked xpsupport.dll, too, which is the same in all packages. It is, actually, identical to dbghelp.dll version 6.12, which can be downloaded along with the latest Windows SDK 7.1. Note that it contains digital signatures so it cannot be faked or tampered without anyone noticing. Conclusion: The xpsupport.dll's analyzed above are fakes.

Final conclusion: Traziz, you get one, I repeat, one more chance to prove that you're not a Cheathappens agent. A few questions for you to answer:
1. Where are the trainer packages that you (allegedly) downloaded from Sicheats and GCW? Give us the original download URL's (probably, a file sharing site that Sicheats supposedly links to) and attach them to your post.
2. How is it possible that we not only cannot find in xpsupport.dll any of the suspicious strings you reported but it turned out be (a copy of a given version of) a Windows system DLL?
3. Which trainer is supposed to create the "vcl3test.dll" file and where? The Alice: Madness Returns trainer doesn't create one.
4. Which trainers access what registry entries and how (read/write)?
5. Which trainers create what files and what do those files contain? Attach them.
(If you can use a disassembler, I'm sure you can also use Sysinternals' ProcMon to create a trace.)

As I already mentioned to Empire and TippeX, I think we're experiencing the latest - and more elaborate than ever before - attack against Sicheats on/via our forum.