....did you install Java 6.0 prior to scanning?
Good question. It has forced me to think a bit about the sequence of events, and actually raises another question. The answer may mean that I'm not being overly helpful.
I would have installed Java 6.0 prior to scanning with Sophos, or the ClamXav scan that found some things but which I couldn't recollect.
Did the ClamXav scan, which was first, remove them from the Java 6.0 cache folder? I now have no way of knowing so, I may have had a similar issue as you but I can't confirm.
ryck