I agree it's nice to see password recovery tools flagged as potential viruses, I've also seen nod32 flag a lot of irc scripts and nasty bots coded for the linux bash shell while I've been downloading them for analysis onto a windows machine.
Spybot is strictly dictionary based as far as I'm aware,
and yes, you can do just a heuristic scan with nod32 - latest version for sure. The easiest way to do so is to open up nod32, select computer scan, click on custom scan, click on setup, then on the left go to options - there you can disable everything but heuristics and advanced heuristics.
I haven't had any problems with NOD32 (viruses or annoyances with the nod32 software) in the past 2 years. I highly recommend it.