Hacked: ? shadow transactions without signing

When I transfer some ETH to an other address by Metamask and sign with my trezor, the blockchain (on etherscan) shows my transfer, but also the transfer of some ERC-20 tokens which I didn't sign:

The same amount in ERC-20 tokens: ETH….eum and the same amount in ETH….. are send from my sending address to the destination address for the first ETH transfer.

How is it possible that transactions occur on my adressess without me signing?

And even more strange: how can there be send tokens that do not exist at the sending address

Does this happen to other people? Anyone any idea?