If you don't have slaves, then simply turn off creating the binlog by commenting out log-bin in my.ini (my.cnf). That should (I think) prevent any server from pretending to be a slave. (And ignore my suggestions relating to it.) Replication is off by default (probably).

--skip-grant-tables is settable/clearable only(?) on startup.

Those queries are hitting the GRANT information. There could be a utility that cleans up the logins, or there could be a virus. I don't recognize them. You are on Windows, right?

The first one seems to remove any useless rows (all(?) priv = 'N') to any single database (user.db). The SELECTs seem to be fetching info about 'root'.

I suspect there are more naughty queries; these don't seem sufficient to be harmful.

A guess: Something is continually opening a back door as fast as you close it. I suspect they are coming in through 'localhost'.

Plan A:
If you can run this, do so:
GRANT ALL ON *.* TO notroot@localhost IDENTIFIED BY 'secret' WITH GRANT OPTION;
Then _you_ have a back door.

Plan B:
Delete the socket by which "localhost" connections are made (while mysql is running). Then connect by ip address. If you can get in, lock it down. (Restart to get localhost working again.)

Plan C:
Get a new machine. After downloading the binaries, disconnect it from the outside world. Then install mysql, and promptly lock down root, etc.

Please post your findings -- if this is a virus; lots of people would like to know.