If there was an adware included, it would be reported as an ordinary detection (provided it's detected, of course).
I'd say the screensaver executable is packed by a runtime packer - which the heuristics considers suspicious (amongst other things) and offers the sandboxing.