Hello!
I had the same nasty bugger every time I started my PC. The problem is a bit that ESET does say it found it and removed the thread but it doesn't give you any clue of where to look.
I looked at some other places and found a simple powershell script which is (I think) used to supress the output/errors from the execution of the 'coin stealer'. I think it's even a legit Microsoft script but it's located in an obscure directory. In my case it was windows/system32/pNYnr7eT1 and it's name was 'ABDA11A9-426A-4502-AD21-CF4E4B5F6D59'
Instead of looking in all logs I just started event viewer, looked under Applications and Services Logs > Windows PowerShell and checked the executions against the times the coin stealer was detected (see attachment),
That points me directly to the location of the virus/trojan itself which is C:\Windows\System32\drivers\DfTph\D13FD5F3-3DBE-4FF7-BEFA-932CA6538238.sys (a file of 4147kB).
I renamed that first directory where the normal script is located and I think it prevented the virus from getting active since ESET didn't said something after restart and the event viewer is also not showing the activity.
Nasty thing is that ESET itself doesn't recognize the .sys as a virus. But none did at VirusTotal: VirusTotal - File - bbbd57acdae11e57235a1270e6663b3ea9c7c80080aac07d2711dc4c3f08b098
If I can make someone happy with the .sys file, let me know. But wanted to react since it's way easier to just check EventViewer for weird powershell access.
Kind regards,
Oscar