Go to some some famous login page, like http://twitter.com (you have to turn off things like HTTPSEverywhere for this to work). Don't login, just look at the raw page with "view source". Hit Ctrl-A
Better yet, start "windump" or "tcpdump" on your machine, save to file, and email me the file, after capturing the login page (but before you login).
What can the hackers have broken into in order to man-in-the-middle webpages?
1. They have an evil WiFi access-point you connected to instead of the hotel's.
2. They compromised the hotel's access-point and installed OpenWRT on it.
3. They compromised a deep-packet-inspect device inside the hotel's network
4. They compromised a device in the upstream network.
If you send me raw captures, I should be able to figure this out, especially if during the capture you do a traceroute.
I've setup an email address to receive this information: email@example.com.