I used search function but found no link to this known topic. The old story of omnipresent ~DF***.tmp files in temporary folder on NT/XP/Vista OS. I think it could be useful to create a little sum up topic about because many people search the web for these files in relation to security issues and security related questions or problems. If you enter DF in google you will likely stumble first over DeltaForce. Usually AVs don´t flag these files but they contain interesting coded informations. Virscan e.g. denominates them as microsoft office files but many don´t use ms office and the files are still present. Sometimes they are also flagged as multistream ole components. People speculate if they are part of firewalls or antivirus engines but this isn´t always the case imho. If you analyze them and do some forensics you always find some similar char chains in it like: GIF89a, GIF, RUE, AV as well as CIA, SPI, OSY, SMI. To view these strings clearly you need to configure a good filter system or use a hex editor. Sometimes these ~DF´s are a locked handle of svchost.exe, they vary in size 80, 112, 304 kb e.g... later more.