First... thanks a lot for your fast help!

I've compared your tree with mine; there are a few differences: Since I'm running Win2K I can't use RestoreLastError, so I replaced it with SetLastError; next I've got two more imports in my tree; one is FreeLibrary at 22ADE0 and RtlFreeHeap at 22AE20, but that should give no problems... at least I hope so

For why to dump when address 4072DC is reached I can only guess. Since the JMP there takes me back to ASPR code I could imagine that some of the code that the unpacked app needs for execution is manipulated by ASPR in some way, so if I dump later I dump this manipulated code. Am I on the right way?

In any case I did a second dump at 4072DC, fixed IAT and OEP and entered the stolen bytes.
Nevertheless the app refuses to run
So, up again in Olly and singlestepping through the code a while I encounter an access violation: EBX should store some value but in fact it's zeroed. Is it possible that I've missed some stolen bytes or do I have to NOP the call to that part of code?

Thanks again
Wurstgote