Here are some MS articles on the service: http://technet.microsoft.com/en-us/library/cc757805.aspx http://technet.microsoft.com/en-us/community/cc512740.aspx I've exported the key, minus this subkey (just because I wasn't sure I should be posting this portion of it): [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security] "Security"= Hex Here Here is the rest of the key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4] "Type"=dword:00000020 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\ 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\ 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\ 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "DisplayName"="IPv6 Helper Service" "DependOnService"=hex(7):52,00,70,00,63,00,53,00,53,00,00,00,74,00,63,00,70,00,\ 69,00,70,00,36,00,00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,00,\ 00 "DependOnGroup"=hex(7):00,00 "ObjectName"="LocalSystem" "Description"="Provides DDNS name registration and automatic IPv6 connectivity over an IPv4 network. If this service is stopped, other computers may not be able to reach it by name and the machine will only have IPv6 connectivity if it is connected to a native IPv6 network. If this service is disabled, any other services that explicitly depend on this service will fail to start." [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Config] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Interfaces] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters] "ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 36,00,74,00,6f,00,34,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum] "0"="Root\\LEGACY_6TO4\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 As I said before the dll name loaded for this service is 6to4svc.dll (as you can see in the registry, once you decode the hex). If you look up the dll it is regarded as safe (and signed by MS). All the links I clicked through that regarded this service as an infection were loading a differently named DLL. Let me know if you want any more info.