Instead of removing CNNIC certificates from your system, we should mark them as "untrusted". This way, when your system updates its cerficates, they will not slip in. As a precaution, you might need to form the habit of checking the trusted certficates installed in your system periodically.

In Firefox/Thunderbird, click "Edit" (or Tool) -> Preference -> Advanced -> Encryption -> View Certificates. Then scroll down to find the "CNNIC" cert under root as well as under "Entrust.net". Select the cert, click "Edit", and the uncheck the three checkboxes. Do this on all CNNIC certs you find.

The screenshot below shows you how to find the CNNIC root cert and mark it as untrusted (Click on the image to see enlarged version):

The screenshot below show you how to find the CNNIC cert under Entrust.net (Click on the image to see enlarged version):