OK, you lost me. We've had issues with javascripts 'injected' on to clients' web pages, but that has to do with the server security (lack thereof), not the browser (though if you prevented them from running javascripts, then they wouldn't actually be able to do SFA so um... nevermind).
Typical attack progression: malwares pay load dropper roots your box then deploys initial payload which is ad injection, or click fraud agents , after a day or so the machine gets sold on and the data exfiltraton is turned on and your data starts moving out the building, once that's complete or they get bored you end up with the nastiest of all the ramsomeware package, you've probably already done a full deep scan, I'd recommend a second with an alternate AV as the payload dropper looks to see which AV your running and drops malware that isn't detected.
HTH