Another common oversight and aid to getting ontop of this fast is changing all admin capable passwords.
If a user account can open c$ on a remote machine it can use this to spread as quickly as you can clean.
If you use the same local admin username and password on all workstations its like wasps and jam.
Even worse on servers if the payload has hijacked an admin/tech or service account it has so many ways in.
Check the security logs carefully and audit object access, one payload I found had used a service account with Admin rights to start deleting servers from AD and chunks out of registry keys.
At least change the password of the account that your using to login and clean up with! In case its already been compromised.
If you are running TS or RDP Servers make sure that the local admin accounts are locked down with a strong password these are another easy way in.
If Sophos is sucessfully blocking and cleaning it on re-infection it sounds like you have it contained but have not yet cleaned the source.
Increasing the Audit logging gives you a chance to catch whatever user/machine account is being used. Changing the password results in Audit Failures as the process tries to spread and these start to appear as red dots in the logs as opposed to a valid account/password that just copies the payload and deletes stuff with an Audit Sucess Message!
Remember with these types of infections its only the virus mechanism that spreads the real damage is caused by the scripts and payloads it can download after its infected the host!
There are some devestating variants of this type of beast and some clever people still finding ways to squeeze them into unplugged code holes out there.
@ZeroHour 's recommendation is the one thing that Sophos tell you in the manuals that is to be avoided, because of the slight risk of Sophos deleting system files BUT it's the first thing thier support team will tell you to do when trying to fight such an outbreak so a +1 for that idea especially on your critical stuff if you cannot leave it switched off until you have cleaned everything!
Check your firewall logs if you can for unusual outgoing connections from your clients, in Sonicwalls you can just enable the uncategorized CFS option and enable HTTPS filtering this normally flags up any machines that are trying to sneak out and phone home for a payload update.
Best of luck.