I've got several instances of this in this month's logs but it may have been going on longer.

The UA sub-string "MSIE 7.0; Windows 98;" or "MSIE 8.0; Windows 98;" in an otherwise normal or semi-normal MSIE browser string. I don't believe either browser works with Windows 98, although I may be wrong. I also don't think it's a mobile because those are usually MSIE 6.0 with other identifying codes (eg "Win 9x 4.90;") (note: quotes are mine, not in originals).

In general the UAs often include suspect or otherwise toolbars, plug-ins or extensions (zango, dealio, alexa, Maxthon, zune, MEGAUPLOAD, MyIE2, IEMB3, Crazy Browser, Avant Browser), sometimes several in the same UA. In fact, the number of add-ons is far higher for this small group of UAs than for any other group I've seen, as if the users are techno-freaks with no regard for their own safety.

In some cases the UA changed in mid-access, in at least one instance re-accessing the same pages (contact forms) as if on a second pass. In general the pages hit were unusual for a domestic browser (aup, how-to-link etc) suggesting auto-scans.

In at least two instances, during 20-ish hits in approx 60 seconds each on various unexpected pages on two linked sites, the UA changed several times, mostly (but not always) including the same add-ins but ringing the changes on browser (IE6/7/8) and OS (98, NT 4.1, 5.2 and 6.1). (There may have been other hits during this time: I only trapped suspect UAs/add-ins and a "normal" MSIE UA would not have registered in these logs.)

IPs seem to always be in the domestic range but a few I've checked return responses to pings, suggesting open ports that shouldn't be on normal domestic computers.

Most, but not all, hits seem to be on a couple of directory sites with high-ish page returns.

A couple of the UAs include the MSIE7/8 Optimized substring but I don't suppose those browsers actually emulate for Windows 98... Surely not... Do they?

Anyway, they're now blocked with prejudice.