I believe the attacker got your private keys few days after you put your computer back online. He was probably monitoring your address, waiting for you to put more money there.
OP wiped his computer, that should be enough to remove all traces of private keys. I still prefer a Linux LIVE DVD though, running from memory to ensure nothing ever ends up on a hard drive.
(+ reinstalling OS and drivers takes time).He must have browsed to the webpage then cut down the connection.
His supposedly randomly generated private key wasn't random at all but pre-generated key from an image file and can be reproduced by the culprit.
So even if he's offline the whole time (after loading the page), they can regenerate the possible key based from the malicious page's provided image.
This wont happen if he used the original code from Github.