Correct Lonk (not under system) - often it is the user that is running under admin rights and when compromised code is run it too gains those rights.