This issue has nothing to do with Spam Free WordPress, as I will try to explain.
When Spam Free WordPress is active it creates a column in the postmeta table called "sfw_comment_form_password," and stores a password in a row for each post after it is published. When the page loads the comments.php file, Spam Free WordPress pulls the password out of sfw_comment_form_password for that post, and displays it in the password field in the comment form.
It appears that the shopping cart plugin is displaying any available meta data in the database for that post. I don't know why the plugin would do that, or if someone created code to display the data from the sfw_comment_form_password row. Although I can help solve this issue by deleting the passwords from your database, this issue could come up again with another plugin in the future if the problem is not fixed in the shopping cart plugin.
Here's the code I see in your page that did not come from Spam Free WordPress:
<!--close product_description -->
<strong>sfw_comment_form_password: </strong>3ZGEMCQHIACU<br />
To delete the Spam Free WordPress passwords from your database run the following SQL query:
DELETE from wp_postmeta WHERE meta_key = "sfw_comment_form_password" ;
The SQL query can be run using phpMyAdmin, or the following WordPress plugin: http://wordpress.org/extend/plugins/wp-dbmanager/
The next version of Spam Free WordPress will automatically delete all passwords from the database when it is disabled, then deleted, using the plugins management page.