The trainer does 2 things that trojans would typically do.

1) We're modifying stuff in memory (hacking your games while they are running.)
2) We're talking back and forth with a web source.  That is, the trainer talks to KongHack to log you in, get hacks, etc.

tl;dr: False Positive.

Yeah, I ran out of time.  The house is insane today.  Kids are sick still, one's screaming constantly... it's nuts.

lets say its using network to login and to download cheats.
now why is it trying to connect to 2 different ip adresses?
also why is it trying to listen on a port? (like a trojan, waiting for incomming connections from the one who is controlling it)

fair enough.

why is it trying to listen on a port?
do you know what a mutex is?  In computer programming, a mutex is a program object that allows multiple program threads to share the same resource, such as file access, but not simultaneously. When a program is started, a mutex is created with a unique name. 

In the case of the trainer, we use a mutex to ensure that only one instance of the trainer runs at one time. however, it might be the case that the user clicks on "launch trainer" link on the website while the trainer is already running. In this case the trainer will start and try to lock the mutex, but it can't, because the other trainer instance has already locked it. So all the new instance can do is exit.

However, because the "launch trainer" links pass game and cheat information to the trainer (so it knows what cheats to load), it is important to pass that information to the current trainer instance. In order to do that, we use a tcp connection.

why is it trying to connect to 2 different ip adresses?
This is a bit of a tricky one maybe, since you dont specify when it talks to two ip addresses, but I'll walk you through the "two" I know of.
You might notice that you download the trainer from a special subdomain.For security purposes, If you try to download the trainer through another site, the installation should fail. Because our primary domain is hosted "in the cloud", the primary domain data is served from whatever datacenter is closest to the user. This means that if we hosted the trainer download on our primary domain, installation will always fail. 
However, all game and cheat related data comes from the primary domain, and hence is potentially served by the cloud.



 

I believe most trainers in this site are safe especially KHUT. However, some antivirus programs still give false detection on some trainers and it is completely normal.

@MuhammadAlle To answer your question, in order to explain why sometimes antivirus programs "falsely" detects trojans in trainers, you have to know what trojan basically does and what a trainer does.

Trojan, it is usually malware program containing or consisting of array of codes that're defined to carry out actions on the memory to cause the transport or loss of data directly, which also access to different part of computer and memory unauthorized, like a "backdoor" . Another key feature of Trojan horse is that it can not replicate itself. Torjans are malicious programs that are disguised to be unsuspicious, excuting actions in ways that look like normal. Most of the torjans usually have names that catch user's attention/interest (and those keywords are usually irrelevant to the actual usage of the program), such as startnow.exe or click.exe, in order to induce people to download or start the trojan.

On the other hand, what does a trainer or hack do? Change of memory, sometime even in the non-executable and non-writable part. Access to and scan in large part of memory. Some file names and registry ids even contain keywords that are usually appearing in the trojans case. If you look into it deeply, they are quite similar in many point of views.

Many antivirus program's heuristic analysis / hyper scan procedures are derived from the characteristics of trojans. THEREFORE, some trainers or hacks always falsely defined as trojans because of the similarities between them. Some less complete / outdated antivirus program database therefore may leads to the false detection of trojans for some programs more often.

For example, the WL-090e2df495b51e173943ec4bdeb82a2d-0-TR/Cridex.EB.16, WL-4572fd2833abd750e70c735bdb33fdfd-0-TR/Cridex.EB.23, WL-3edf002334d86b974940c7f1cd950ad4-0-TR/Rogue.KD.637567.7 etc, were famous trojans once and their false detection rate 're over 3.43% in year 2012 in the avira and malwarebytes international viruses database. Imagine, there are tens of thousands of new trojans and viruses each year and those few types' false detection case covered over 3% of total. They were famous not because of their destruction level but their disguising power. Many programs were falsely detected as those trojans when those trojans alias firstly come out, such as bittorrent clients, downloading softwares, copy assist programs, renaming programs, game trainers, compression programs, game hack, game tool, etcetc you name it. Even the most famous and successful antivirus programs did make those mistake for over 6 weeks.

Viral technological advances every single day however global antivirus analysis tech is almost the same as 17 months ago. It's not hard to understand that, the antivirus programs will continue to make mistakes on new viruses and new trojans detection.

I may not know much on hacking and computing but I learn and memorize a lot of technological facts, history and information thanks to my fulltime work.

Antivirus programs having false detection is inevitable and even becoming a tendency. This global problem can not be solved easily unless trojans and viruses slow down advancing exponentially, which is impossible. As a normal person and employee, I would just say what I say to my customers and clients everyday ; Use multiple antivirus programs, in order to prevent false detection caused by the fact that that particular company isn't focusing on dealing with some particular viruses types. For example, avira spends most resources on worms and trojans aspect however its malware and spywares database is not as good as that of Malwarebytes. Use 3-5 good international antivirus programs to scan, and send back the results to their department they should contact you in 3 working days. Listen to their advice and Compare the results then you should be able to deduce if the trainer/program is actually having viruses/trojans or it is simply a false detection and it is safe to use.