The question is how large that search space is. If you can get a reliable list of directory names and file names then it might be small, but if you are left iterating characters in filenames (and this appears to be Unicode) then I'd imagine you'd run into the same situation.

I'd be much more tempted to look at the fact that the first four bytes of the RC4 key stream appear to be recoverable and look at key recovery from that.

PBKDF2 uses a hash function which need not be SHA-1 and applies it a variable number of rounds with a recommended minimum of 1000.