You're perfectly right. PBKDF2 (Password-based Key Derivation Function 2) takes your password as an input, derives a key from it and outputs that. This key is then fed into an encryption algorithm like AES in order to actually encrypt anything.
Sure, in the same way that MD5 is (although you'd want to use PBKDF2 instead of MD5). But you can't actually encrypt with PBKDF2 itself, much like you can't with MD5
> 2. AES is used in CBC mode with a different IV for each account.
Depending on the actual implementation (if everything is just one encrypted blob or if individual records are encrypted separately) using the same IV for all data in one account can be pretty bad.