I was trying to diagnose a PC this weekend that had random redirection issues when selecting google search results. The selections were hijacked and sent to directrdr.com, which then redirected to some website with an ad. In trying to resolve this issue, I noticed that the SDHelper.dll file had a different file size than that on my own PC, but the exact same version number of 1.6.2.14.

Now I would assume if Safer-Networking were to change something in the dll, they would bump up the version number. The file info I have for the 2 files are as follows:

My PC (non-infected):
File Version: 1.6.2.14
File size: 1,562,960 bytes
MD5: 35f73f1936bde91f1b6995510a61e7a8
Digital Signature Signing Time: Monday, September 15, 2008 7:25:44 AM

Here is the info from the infected PC:
File Version: 1.6.2.14
File Size: 1,879,896 bytes
MD5: 022c2f6dccdfa0ad73024d254e62afac
Digital Signature Signing Time: Monday, January 26, 2009 9:31:03 AM

Both SpyBots were fully updated. My questions are:
1. Are both of these files valid?
2. If they are both valid, why,if they are both up to date, are they not the same file? I couldn't find where on this website the file info are stored to verify which one is the latest.
3. If they are both valid, why wasn't the version number bumped for the newer version?

On my PC running XP pro SP3, IE8 and definitely clean, SDhelper.dll in
C:\Program Files\Spybot - Search & Destroy
Filealyzer gives
version 1.6.2.14
size 1879896
MD5 hash 022C2F6DCCDFA0AD73024D254E62AFAC

which appears to be the same as on your infected PC.

In IE8, Tools/Spybot search and destroy configuration I have SDhelper active set to 'block all bad pages silently' and experience no problems, but then again the 'allowed and denied' box is empty so maybe I never went to a site it didn't like.

Spybot 1.6.2.46 last updated 30 December 2009

I just can't understand why they would update the file and not the version within the file. That just makes it harder to track which is the latest.