1. Load the .dll in a disassembler
2. Scroll down from the entry point, find the next POPAD and set a Hardwarebreakpoint on the next JMP OPcode
3. Run till execution. The crappy hack it now unpacked.
4. Find shitty keylogger
Then search for referenced strings. You will find:
1003D858 PUSH Project_.100561BC ASCII "Norwegian-Nynorsk"
1 min asm and you found already something suspicious.
Sounds strange doesn't it? Too many too be an account/charname but you should look deeper into this.
If not on asm level try to login /whois Norwegian-Nynor or some variations with 2 missing letters.
It also may be some keyword to trigger malicious activity.
Thats a coding forum, so if you want help with code, feel free to ask.
To create a message log you got many possibilities:
Use the internal D2 functions where the messages get passed.
Use the LastMessagepointer
Packet GS 0x26 and BNCS 0x0F packet.