My network has been compromised and I need help

I feel like an idiot and I need some help or advise.
I’ve been slowly learning penetration testing.4 days ago I get a text message giving me a TFA code to reset my ring doorbell. I, nor anyone at my home requested a password reset. That’s when the problem started. I started having problems accessing some of my Proxmox network and I started getting messages from web sites telling me my IP has been blocked because of suspicious activity. That could have been caused by me scanning my network with Wireshark??
I tried using my tools in Parrot OS to solve this issue but things kept getting worse. I think my Spectrum SAC2V router was flagging me because I was scanning my network with Wireshark. I finally pulled the plug and disconnected from WAN. Now I fired back up my Proxmox cluster and one node is giving me a man in the middle attack warning on one node saying a key has been modified.
This is very much a Parrot OS question because I have Parrot in 11 laptops and I had several Parrot VMs in Proxmox. I want to just wipe all 6 nodes that appear to be compromised, but I’m not learning by doing that.
I have been trying to learn this trade , but I’ve focused more on learning Linux better before I got very deep in the Penetration testing learning.
Is there any ethical hackers on here that can help me figure this out? I don’t want to just run a tool and let it fix this. What I’d really like is some step by step directions on where to start and exactly how to fix this with one of my Parrot OS laptops.
I’m sorry for the long dissertation, but I learn best under pressure. And that’s where I’m at right now

Not sure what happened exactly but I can say it was not caused by “scanning your network with wireshark”. Wireshark is a passive collection tool. All packets that hit that interface are captured.

No I guess I wasn’t clear. I was scanning my network to try and find out what was going on. I was trying to figure out if Spectrums security picked up someone scanning from my IP?
I’m still learning so this was more of a question. I didn’t start seeing the “suspicious activity” warnings until I started scanning

Hi Bill,

Do you have anonsurf running while this error? Or you are using the tor browser I guess!

Websites like youtube, quora often show this message when I use onion-routing things.

Overall I am also new to Pentesting, so I did not understand many of your statements like (ring doorbell, Node giving MITM Warning, etc)
Apologies for that.

What tools were you using or scanning with?

I only scanned with clamav, rkhunter. I was not running TOR or Anonsurf. This entire situation has taught me a valuable lesson. So I am starting over for the umpteenth timer. This time I am starting with the very basic network training. I’ve always been the type of person to jump in way over my head until I am ready to throw my hands up. then I go back to the basics and they seem to make so much more sense. Now I am having weird issues with the setup of my networking lab, switches and routers. these are not Parrot related so I am asking my questions in a different forum. Anyway, you guys are great. i appreciate all the help you’ve given me along the way. I am not going to give up, but I will be spending a lot less time using Parrot OS and learn my networking with a lab I am setting up of three old Thinkpads running Debian 11. I could use some advise on any good , structured (open source) network basic training if anyone has any suggestions?
Parrot will always be my go to OS for future pentesting training and use though

I don’t know what did you see, but let me tell you this: ClamAV is a static scanner. It’s totally based on signatures, no emulators no behavior scan, so the scan result is very limited. rkhunter or chrootkit don’t even use signature based detection. I’m not so sure about rkhunter, but chrootkit only uses file exists method most of time, so it has massive false positive and it can miss so many actual malwares in the system.