YES you can still get Malware even if you aren't logged in as Administrator!

I'm a firm believer that running with minimal privileges/rights is a good thing from a security perspective. The challenges of running legacy software without Administrator rights have faced most people who've embraced this approach. Aaron Margosis' blog contains many helpful suggestions as does the recording of his excellent session from TechEd.

I recommend replaying the recording of Mark Russinovich's Understanding and Fighting Malware session too as fifty minutes in he explains how User Mode API filtering works and later in the session he shows how this can be used by Malware to hide itself. User Mode API filtering provides the means for Malware to interfere with the messages being sent to user mode processes. Such Malware doesn't have to be running as Administrator.

That's not to say that running with least privileges doesn't help even in this case - at least if you are running as a regular user and accidentally trigger such Malware you have the option of logging in as Administrator to track down the tell tale signs that Malware is present and are able to remove it. Mark explains this whole area far better than I do and hence it's well worth replaying his session.