Where you saw the md5 hash? I really dont know why attackers substitute software but stay original hash. Its ridicilious

I have recently covered the hardware aspects of downloading. Many protocols have error correction, and that error correction is designed to correct bit error. This prevents the old problem of getting halfway into a file, the checksum on a packet doesn't match, it is sent again, it doesn't match again. . . . and so on.

Is your connection marginal?

Error correction is an XOR usually of 2 bits; each bit (theoretically) comes up for mention if 2 XOR comparisons. So permutations of mistakes (e.g. BYTE errors) can cause the wrong correction to be made. You need to describe what is going on in better detail. Faults in error correction are nearly impossible to find. Many of the libraries have been patched. I notice curl uses it's own SSL library, and SSLv3 has recently been disgraced.

You will find nothing until you can eliminate things as sources of errors. To do that, you need to start answering all the good questions posed in this thread.

It (his router) could depending on his nationality. Some governments such as that of the US are very intrusive.

@OP, try using the Tor Onion Routing System. Traffic that goes through there is heavily encrypted and bounced globally making it hard to monitor/tinker with. Download Tor, run it, and download your file through there and see if the MD5s match.

IMPORTANT:
DO NOT log into LQ or any site that requires a login with Tor. You will be marked as a spammer unless you can change how Tor identifies itself.

Also, if you have been affected by something nasty, it would be prudent to take the infected box off of any network and change all passwords that have been used through that box.

rkhunter requires a clean installation and careful configuration before it is ever run the first time
or you will not be doing what you think you are. Your system may never be clean otherwise.