And check the file integrity?
Are you downloading it from places other that Microsoft?
From Microsoft. Use SSL to download. There is no way to tell that Microsoft has introduced a rootkit as hashes only spot changes, not malicious changes. Plus you would be getting the hash from Microsoft.
Any hashing tool will work https://support.microsoft.com/en-us/kb/889768
But you should avoid MD5 and go for SHA1 or above.