But please note this is not anything new: it has actually ever been so.
Linux/Unix users somehow know (count with) this and really really take care of which account they're working under. They usually use the root (=admin) account only if they really need to (such as to make some changes in the system config or install a program). Otherwise, they run under an account with limited rights (limited only to the extent that their apps work OK, of course) and this is because they somehow anticipate that something bad will happen. And if something bad really happens, running under a non-root account can mitigate the threat enormously...
Dwarden, why do you think that protection of the ini file would help? There are multiple places where avast stores its configuration. Registry keys, the ini file and the data storage (the mdb or xml file) where avast actually stores all task settings (including the on-access task). So it'd actually make more sense to tamper with the data storage than with the ini file I guess... Anyway, if the malware doesn't change any of those, it can patch any of the avast files. Same effect. And if it doesn't patch any of the files, it can remove the reference to avast from all the registry entries (preventing it to start on next boot). Same effect... Etc. etc. You see what I'm saying? There are unlimited possibilities. There's no generic way to fight with that. The only way is not to run under the admin account.
Cheers
Vlk