Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

So far it's been between 10 and 40 hits about 1-10 seconds apart (the lower quantity and longer variation may be due to already canned IPs being blocked elsewhere and not logged here). There appeared to be a build-up over a few days in groups of four hits on two IPs.

Typically the hits are from half a dozen IPs approx in rotation but often coming two successive hits per IP. Some are coming through proxies with no FWD but with a VIA of (so far)...

1.1 announce.cztorrent.net
1.1 counter.auti.hr
1.1 MFWIFW00, 1.1 MFWIFW00
1.1 PNS
1.1 VAG-VGS-ISA1
1.1 www.lsi.die.upm.es
1.1 www.rocketdispatch.com

Sources vary between (probably compromised) web servers and broadband. A proportion of the hits were from web servers on University IP ranges.

Hits so far have been on forms and guestbook pages plus home page. I THINK the forms/guestbooks are not in SEs but they are commonly hit by bad bots.

My reason for believing it's hackers is because it's highly unlikely I'd get a spate of 10-40 hits within seconds from a true AVG from places as distant as Germany, Sweden and USA. So far I haven't seen any acompanying SQL Injection code on these hits.

I'm reluctant to auto-kill the offending IPs because I'm still getting a few "genuine" AVG prefetches.